left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

Establishment of the scope of the ISMS ISO 27001:2013

  Quote
Guest
Guest user Created:   May 30, 2022 Last commented:   May 30, 2022

Establishment of the scope of the ISMS ISO 27001:2013

Good morning , Could you help me with a practical guide and/or examples to help me establish the scope of my Information Security Management System (ISMS) and comply with ISO 27001:2013. What considerations should I take into account to establish the scope of the ISMS? I give a context of My Organization: My Company has a Mixed Operations model: Employees in telecommuting mode and some employees in a Physical office and we occasionally rent a Coworking for meetings or for some group activities and/or meetings with clients. In the short term we will only have Telecommuting Employees and we will deliver the Physical Office All our application servers are in the cloud (we have a private cloud) we use Microsoft Office 365 and google gsuite, zoom. Employees from software development, designers, analysts and data scientists connect via VPN to the private cloud and each have a virtualized Windows 10 computer for their work. Salespeople do not connect via vpn to the private cloud, they only use web applications (Office 365, google gsuite, zoom, crm). The accounting area is connected by remote desktop to its own server in the private cloud of It is an RDP server (Remote Desktop server) They (commercial and administrative area) are assigned a company team. Developers, designers, analysts are normally allowed to work from their own personal computer but only to connect via vpn to the cloud. Very few have asked the company to assign them a team for telecommuting. We have a task that weekly downloads the backups of our main virtual servers and the virtual teams of the developers that are in the cloud to a storage server that is in our physical office. Our servers are in a datacenter that has ISO 27001:2013 certification In the physical office we have 4 servers but they are only for backup storage and for tests.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 30, 2022

First is important to note that an ISMS scope can be defined in terms of processes, location, or information to be protected.

Considering that, and your stated scenario, you should define your ISMS scope either in terms of processes (development process, sales process, account process, etc.) or information to be protected (e.g., customer information, financial information, etc.).

By the way, included with your toolkit you have access to a video tutorial that can help you define your ISMS scope. This video contains examples.

For further information, see:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 30, 2022

May 30, 2022

Suggested Topics

Guest user Created:   1d ago ISO 27001 & 22301
Replies: 1
0 0

ISMS implementation

Guest user Created:   Jun 22, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 templates

Guest user Created:   Jun 22, 2022 ISO 27001 & 22301
Replies: 1
0 0

Scope Document