Bills Created: Aug 01, 2019 Last commented: Aug 02, 2019

Implementing ISMS in other Business Dept.

Hi I have implemented ISO 27001 in IT dept. as scope and I have successfully implemented and got certified.Now I need to increase my scope to other departments. I need to know how can I do it ? How I will go the gap assessment ? What are the controls that I should do the gap assessment as most of the information processing systems lie within the IT dept. What information I have to protect as the information within other dept. will be confined to paper assets. Please advise me what approach should I take to extend my scope. Thanks

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Aug 02, 2019

Answer:

You must approach a scope extension as if it was a new implementation project (the steps are basically the same). The difference is that as a scope extension you have to assess how this inclusion will affect your current scope. For example, how you will handle access of the personnel of the new part of the scope to the current one? Access levels will be the same or will have to be updated? Since this new scope will include paper assets, how this will affect you information classification policy?

This article will provide you further explanation about ISO 27100 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27100 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Aug 01, 2019

Aug 02, 2019

Expert Advice Community