Expert Advice Community

Guest

Help with ISMS Scope Definition

  Quote
Guest
Guest user Created:   Jun 10, 2021 Last commented:   Jun 10, 2021

Help with ISMS Scope Definition

Hi Dejan, Hope you are doing well. I bought your toolkit, but I still have some issues with the SMSI documents preparation. For instance : - The Document of the scope The company has around 120 employees, has 2 sites, and 3 different activities: IT Solution integration, Training, and Cloud service provider. One site contains the IT Solution integration and training Divisions with the HR & Commercial Departments, the other site contains the Cloud Division. The company wants to certify only the Cloud Activity, but I want to check if we should include in the Scope the HR and Commercial departments to respond to the A.7 requirements and the security of customers personnel information & customers Contracts. - The Business Continuity Should we also prepare all the documents related to A.17 requirements even if the company doesn't plan to include the SMCA and business continuity certification in this scope ? Thanks in advance for your support.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 10, 2021

1 - The Document of the scope

The company has around 120 employees, has 2 sites, and 3 different activities: IT Solution integration, Training, and Cloud service provider. 

One site contains the IT Solution integration and training Divisions with the HR & Commercial Departments, the other site contains the Cloud Division.

The company wants to certify only the Cloud Activity, but I want to check if we should include in the Scope the HR and Commercial departments to respond to the A.7 requirements and the security of customers personnel information & customers Contracts.

Answer: Please note that an ISMS scope is defined in terms of location, information, or processes to be protected, so taking into account your intention to certify the Cloud Activity, and that it is located in a separated site, the best options for defining your scope would be by location (Cloud division site) or processes (processes related to cloud service provision).

Considering that, you do not need to include in the ISMS scope the HR and Commercial departments. In the mentioned situation these departments are dependencies to your ISMS scope, and as dependencies, they only need to be identified during the risk assessment and risk treatment process, so proper controls are selected to protect the information in the ISMS scope they have access to.

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

2 - The Business Continuity 

Should we also prepare all the documents related to A.17 requirements even if the company doesn't plan to include the BCMS and business continuity certification in this scope ?

Thanks in advance for your support.

Best regards

Answer: In case there are no relevant risks or legal requirements justifying the implementation of controls of section A.17, you do not need to implement related documents.

You only need to implement documents related to section A.17 in case you have relevant risks or legal requirements demanding the implementation of these documents. In our experience, we did not see any company that has excluded these controls.

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jun 10, 2021

Jun 10, 2021