I have the following question regarding a decision which impacts the ISO27001:
The owner/management (small company) has a company e-mail addresses. The owner does not like working with the company e-mail solution, so he wants to automatically forward the incoming e-mails from his company inbox to his private email account (with Gmail). Additionally, he wants to send E-mails from his private email account where the sender will be shown as his company email. The use of private email addresses is generally prohibited (currently implementing policy for employees etc.). Is it possible to create an exclusion in the policies for the owner/CEO and what other implications does this e-mail forwarding/relay have with regard to the ISO27001 certification? The whole company is in the ISMS scope, but not the mentioned private email account.
Assign topic to the user
ISO 27001 does not prescribe specific rules on email security, only that related unacceptable risks are treated. Considered that, it is possible to create exclusions for the use of email service to fulfill this specific need, provided that unacceptable risks related to e-mail forwarding/relay are treated.
Comment as guest or Sign in
Oct 18, 2019