Documenting scope of ISMS
X company outsourcing the main business product (source code, software application and maintenance) and IT services(office network, and maintenance) from Third party. Now, The X compay is trying to document its ISMS scope accroding to clause 4.3
The scope document must include Process and Services, Organizational Unit, Locations, and Networks and IT infrastucture. However, X company doesn't have IT department, and all IT and network related works go to Third party. X company doesn't own a single switch or server.
My question is Do we need to include Third party's network diagram, IT infrastucture, servers, and network devices in the scope if these are touches our main product?
Assign topic to the user
Outsourced departments, networks, and infrastructure do not need to be included in the ISMS scope. You can define them as scope exclusions, explaining that such elements are outsourced.
For further information about ISMS scope, please see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
If we do not include outsourced IT services in our ISMS scope, does it mean we also do not need to apply all technical controls in SOA?
Thanks for your reply Rhand Leal, and also for your company's free lessons which is very helpful.
Please note that the application of controls in SoA is not necessarily related to the ISMS scope, but to the results of risks assessment and identified applicable legal requirements (e.g., laws, regulations, and contracts). This means that some controls will be implemented by your company, and some controls by your suppliers or partners.
For example, even if you do not include outsourced IT services in our ISMS scope, you may have a contract with a customer requiring the implementation of technical control, then this technical control needs to be stated in the SoA as applicable and implemented by your supplier.
Comment as guest or Sign in
Oct 25, 2022