The scope of our certification is IT Customer Operation Department including Internal IT, Engineering and Infrastructure
HR and Legal are excluded from the scope. My question is if I can exclude all the controls which are in their responsibility for example Securing Offices, Disciplinary Process or Identification of applicable legislation
Thank you in advance for your opinion,
One more question do you also offer consultation?
Answer:
You can exclude controls only if there are no risks which would require such controls. So if after the risk assessment & treatment you do not need these controls to reduce risks, you can exclude them.
Anyway, from my point of view generally you cannot exclude controls related to compliance, laws or applicable legislation, because they are requirements of the business.
This article can be interesting for you ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And also this article How to defin e the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Regarding your last question, yes we offer consultant services for the implementation of ISO 27001 in your business if you buy our toolkit, although you can also ask us questions related to ISO 27001 and/or ISO 22301 without cost.
Comment as guest or Sign in
Jan 13, 2016