Expert Advice Community

Guest

Environment and Scope

  Quote
Guest
Guest user Created:   Sep 30, 2023 Last commented:   Sep 30, 2023

Environment and Scope

As a higher education institution, we operate in a hybrid environment encompassing cloud and on-premise resources, third-party services, as well as both in-house and outsourced application development. Our ISMS scope is currently confined to the IT department. Given this, which assets should we include in our ISMS? 

Should it be limited to IT assets such as infrastructure, servers, network systems, applications, data centers, UPS, air conditioning, connectivity, and IT human resources? Or should we extend the scope to include departments like HR and Procurement?

When it comes to setting our ISMS objectives, considering the scope is limited to the IT department, should the security objectives also be confined to IT-related security measures?

0 0

Assign topic to the user

ISO 27001 ISMS SCOPE DOCUMENT

Define the boundaries of ISMS for ISO 27001.

ISO 27001 ISMS SCOPE DOCUMENT

Define the boundaries of ISMS for ISO 27001.

Expert
Rhand Leal Sep 30, 2023

1 - As a higher education institution, we operate in a hybrid environment encompassing cloud and on-premise resources, third-party services, as well as both in-house and outsourced application development. Our ISMS scope is currently confined to the IT department. Given this, which assets should we include in our ISMS? 

Since the current ISMS scope is confined to the IT department, the assets to be considered for the ISMS should be those directly under the control of the IT department (e.g., on-premise resources, in-house application development, data for SaaS, data and applications for IaaS etc.).

2 - Should it be limited to IT assets such as infrastructure, servers, network systems, applications, data centers, UPS, air conditioning, connectivity, and IT human resources? Or should we extend the scope to include departments like HR and Procurement?

Each company can decide what ISMS scope best fits their needs. This is usually done based on customer requirements - if the customers require only the IT department to be certified, then this is usually enough.

3 - When it comes to setting our ISMS objectives, considering the scope is limited to the IT department, should the security objectives also be confined to IT-related security measures?

Besides the IT-related security objectives, the ISMS objectives should also be considered in terms of added value to the company. For example, to decrease the number of information security incidents by 50% in the next year.

These articles will provide you with further explanation about defining the ISMS scope and objectives:

This tool for defining the ISO 27001 ISMS scope can also help you.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 29, 2023

Sep 29, 2023