Expert Advice Community

Guest

Defining the scope of the ISMS

  Quote
Guest
Guest user Created:   May 05, 2021 Last commented:   May 05, 2021

Defining the scope of the ISMS

We're working with the documents and the process goes well overall.

I do have a question on defining the scope of the ISMS. We are a software consulting company, we have our own products, but we also deliver development services to customers. I want to express that software that we develop and manage (SaaS) on our own terms (our own products) fall within the scope of the ISMS. When we work for customers, we want to follow whatever guidelines our customer asks for. In addition to the software development services themselves, the overall IT infrastructure and security of all departments (backups, password rules, network security, anti-virus rules, ...) by our personnel should in general fall within the scope of our ISMS. I wrote down the scope as below, but I wonder if the last bullet point is not too broad, pulling *all* general processes within the scope of the ISMS (e.g. company car policy?). What's your opinion on the definition of the scope of our ISMS as stated below? Any suggestions to get closer to what I described above?

The following processes and services are included:

The software development life cycle processes of *** software products.
The operational processes of *** SAAS products including SAAS products hosted in the cloud.
Software development services delivered to third parties, insofar contractual agreements contain Secure software development life cycle requirements (SDLC).
System administration services delivered to third parties, insofar contractual agreements contain ISMS requirements.
Internal general processes, and operations (e.g., HR, Finance, Accounting, Sales, ...).

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 05, 2021

Considering you referred to “…overall IT infrastructure and security of all departments…”, then your last bullet makes sense because it basically defines all your organization in your ISMS scope.

In case you want something specific out of the scope (e.g., a specific process or department), you can state this part as an exclusion in your scope document.

Please note that you do not need to include in the scope references to contractual agreements (this may unnecessarily restrict your scope) because these can be defined in a separated document (the List of Regulatory, Contractual and Other Requirements template, include in folder 2 of your ISO 27001 Documentation Toolkit).

These articles will provide you a further explanation about scope definition:

These materials will also help you regarding scope definition:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 05, 2021

May 05, 2021

Suggested Topics

Guest user Created:   Mar 23, 2021 ISO 27001 & 22301
Replies: 3
0 0

Defining an ISMS scope

Guest user Created:   Jul 17, 2021 ISO 27001 & 22301
Replies: 1
0 0

Scope definition