Expert Advice Community

Guest

Documenting scope of ISMS

  Quote
Guest
user Created:   Oct 18, 2022 Last commented:   Oct 25, 2022

Documenting scope of ISMS

X company outsourcing the main business product (source code, software application and maintenance) and IT services(office network, and maintenance) from Third party.  Now,  The X compay is trying to document its ISMS scope accroding to clause 4.3

The scope document must include Process and Services, Organizational Unit, Locations, and Networks and IT infrastucture. However, X company doesn't have IT department, and all IT and network related works go to Third party. X company doesn't own a single switch or server. 

My question is Do we need to include Third party's network diagram, IT infrastucture, servers, and network devices in the scope if these are touches our main product?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 19, 2022

Outsourced departments, networks, and infrastructure do not need to be included in the ISMS scope. You can define them as scope exclusions, explaining that such elements are outsourced.

For further information about ISMS scope, please see:

Quote
0 0
Guest
user Oct 20, 2022

If we do not include outsourced IT services in our ISMS scope, does it mean we also do not need to apply all technical controls in SOA?

Thanks for your reply Rhand Leal, and also for your company's free lessons which is very helpful.

Quote
0 0
Expert
Rhand Leal Oct 25, 2022

Please note that the application of controls in SoA is not necessarily related to the ISMS scope, but to the results of risks assessment and identified applicable legal requirements (e.g., laws, regulations, and contracts). This means that some controls will be implemented by your company, and some controls by your suppliers or partners.

For example, even if you do not include outsourced IT services in our ISMS scope, you may have a contract with a customer requiring the implementation of technical control, then this technical control needs to be stated in the SoA as applicable and implemented by your supplier.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Oct 18, 2022

Oct 25, 2022