Guest user Created: Nov 12, 2021 Last commented: Nov 12, 2021

How to start using the ISO 27001 / ISO 22301 Toolkit

I have a first question. As objectives for our ISO 27001 certification, I added some details as follows; To implement the Information Security Management System in accordance with the ISO 27001 standard by June 30, 2022 at the latest. Achieving the ISO 27001 standard certification is a must to: · Comply with many customers’ requirements that purchase services through SaaS platforms. This is a business enabler; · Protect our customers by minimizing the scope and potential impact of security threats: o Loss of data o Sensitive data exposure Is this a good practice to do so ? Is it sufficient ? As a SaaS provider, should I add more details and/or reasons ? My second question is about a new location we'll add around February next year. Our goal is to get certified by end of June 2022. In February, we'll probably open a new sales office in the US. What would be the impact of opening this new site from an ISO 27001 certification standpoint ?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Nov 12, 2021

1 - As objectives for our ISO 27001 certification, I added some details as follows:

To implement the Information Security Management System in accordance with the ISO 27001 standard by June 30, 2022 at the latest.

Achieving the ISO 27001 standard certification is a must to:

· Comply with many customers’ requirements that purchase services through SaaS platforms. This is a business enabler;

· Protect our customers by minimizing the scope and potential impact of security threats:

o Loss of data

o Sensitive data exposure

Is this a good practice to do so ? Is it sufficient ?

As a SaaS provider, should I add more details and/or reasons ?

Answer: I’m assuming that you mean these objectives for the Project Plan, section 3.1 (Project objective).

Regarding the objectives, they are well written, because they clearly define measurable objectives (e.g., customers’ requirements, minimizing the scope, and potential impact).

Regarding sufficiency and detail level, this should be evaluated considering the target audience (e.g., customers, project team, project sponsor, etc.). If these are ok from their point of view, then the document is fine.

2 - My second question is about a new location we'll add around February next year.

Our goal is to get certified by end of June 2022.

In February, we'll probably open a new sales office in the US.

What would be the impact of opening this new site from an ISO 27001 certification standpoint ?

Answer: First is important to note that the Information Security Management System scope can be defined as the organization as a whole or as only part of it.

Considering that, there will be no impact in the certification if you keep only the current office in the ISMS scope. In case you decide to include the new site in the scope, the impact in the certification process will depend on how similar the operations in both offices are. The more different the activities, the more impact you will have, because additional controls may be required.

These articles will provide you a further explanation about scope definition:

- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Nov 12, 2021

Expert Advice Community