1 - As objectives for our ISO 27001 certification, I added some details as follows:
To implement the Information Security Management System in accordance with the ISO 27001 standard by June 30, 2022 at the latest.
Achieving the ISO 27001 standard certification is a must to:
· Comply with many customers’ requirements that purchase services through SaaS platforms. This is a business enabler;
· Protect our customers by minimizing the scope and potential impact of security threats:
o Loss of data
o Sensitive data exposure
Is this a good practice to do so ? Is it sufficient ?
As a SaaS provider, should I add more details and/or reasons ?
Answer: I’m assuming that you mean these objectives for the Project Plan, section 3.1 (Project objective).
Regarding the objectives, they are well written, because they clearly define measurable objectives (e.g., customers’ requirements, minimizing the scope, and potential impact).
Regarding sufficiency and detail level, this should be evaluated considering the target audience (e.g., customers, project team, project sponsor, etc.). If these are ok from their point of view, then the document is fine.
2 - My second question is about a new location we'll add around February next year.
Our goal is to get certified by end of June 2022.
In February, we'll probably open a new sales office in the US.
What would be the impact of opening this new site from an ISO 27001 certification standpoint ?
Answer: First is important to note that the Information Security Management System scope can be defined as the organization as a whole or as only part of it.
Considering that, there will be no impact in the certification if you keep only the current office in the ISMS scope. In case you decide to include the new site in the scope, the impact in the certification process will depend on how similar the operations in both offices are. The more different the activities, the more impact you will have, because additional controls may be required.
These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/