Information Asset: Business Applications and their Scope

The data center has several serves and each of those servers has applications belonging to different departments, which are outside the scope of 27001.

I included all the physical Server in my Information Asset list and assigned "System Administrator" to be the Asset Owner and did the risk assessment for them.

My Question is: Since all department except IT department are outside the current scope, Do I have to add their Application in my Asset List? Department Manager are responsible for their Application. As IT department we are only responsible for the Servers and backup, and have no access to Applications inside those servers.

Answer:

No, you should not include the business applications in your scope; in your scope should remain only the hardware, but probably also the system software (i.e. operating systems, admin tools, etc.).

Dejan Kosutic said
I've received this question:

> We are planning to implement ISO 27001 and the scope is our Data Center and IT department
The data center has several serves and each of those servers has applications belonging to different departments, which are outside the scope of 27001.
I included all the physical Server in my Information Asset list and assigned "System Administrator" to be the Asset Owner and did the risk assessment for them.
My Question is: Since all department except IT department are outside the current scope, Do I have to add their Application in my Asset List? Department Manager are responsible for their Application. As IT department we are only responsible for the Servers and backup, and have no access to Applications inside those servers.

Answer:

No, you should not include the business applications in your scope; in your scope should remain only the hardware, but probably also the system software (i.e. operating systems, admin tools, etc.).
 

If we add to our current scope the below mentioned two teams

Technical Maintenance Tea m (giving support for 1000 plus end users problems)
In-House Application Development and Application Support Team (giving application development and support for internal use applications such as HR, Accounting, and few other business applications)

Then, what other things need to be added to the risk assessment process and to the Information asset list?

Regards

If you add these two teams to the ISMS scope, then you need to include the assets they own into the Information asset list, and you have to perform the risk assessment for all those assets.

Actually this question what was already written in this group it's quiet familiar to my situation. 

My organization's top management define that most of the important for the organizations processes is "data center" so they decided to include it in ISMS's scope for the beginning and then probably add other business processes which are vital for organization. What would be your advice, how do you think how much relevant to implement ISMS according to ISO 27001 to the organizations data center ? 

Moreover, according to the previous discussion you said that in case of data center in the scope we have left only hardware assets to implement ISMS and "probably also the system software (i.e. operating systems, admin tools, etc.)."  - as you said. But I think we shouldn't include "operating systems, admin tools, etc" in our scope because those products most probably are not locally created products and if we include them then it means that we should implement ISMS on operating systems or it most likely means that we should implement ISMS on vmware machines, apache server etc f or example. So is it possible to do that way ? 

If not, then we left only hardware where we implement ISMS on it. And implement ISMS for just physical environment is it good idea ?

Thanks in advance

I think the best thing to do is to implement the ISMS for the whole company; if this is not possible, then the scope of your ISMS should cover the areas of your company where you handle the most sensitive information. Therefore, if the sensitive information is not handled only in the data center, then including only data center in the scope does not make sense.

Regarding operating systems, admin tools, etc. - it is not the point who created those products, but who controls them. If your data center is in the scope, and if your system administrators are directly in charge of all the systems (but not the business data), then I assume they do not control only the hardware, but also the operating system and other system software.

If you include only the hardware in your scope, how would you be able to protect the information stored on it?

I agree that the best way for ISMS implementation is to include whole company in the scope. But to do it by only one person in such company where is about 500 users I think it will need too much time so thing is that, company is concentrated to the most sensitive infos at the moment.

Almost all sensitive infos (business data)  are functioning over the data center. So actually my question was that, if we include only data center in the scope and start risk assessment on it and start asset identification what assets need to identify only hardware or all infos what are producing on it ? if second then it means that I included whole company itself, if not then it means that I have to assess hardware and op systems, admin tools, etc (but not the business data). If I will do that way then result of the ISMS should be data center physical security optimization and segregation duties optimization of system administrator who are managing those systems as physical as well application systems so then this case should make a sense isn't it ?

Leo,

I'm not sure if I understood your question correctly, but you have to choose on your own which assets you will include in your ISMS scope - once you do this, you have to perform the risk assessment on all of these assets. One option is that in your data center you include only the hardware and the system software in your ISMS scope, while the other option is to include also the data that is stored on those servers.

If your company controls the data that is stored on those servers, then I think you should include that data in your ISMS scope - otherwise, you would have an ISMS scope that doesn't cover the most important data.

I mean almost same what you wrote in your last sentence that if I include in my scope only hardware and the system software then I will left most important (business) data what is stored on those servers and which are important for company business processes. So that's why I think that in scope should be first most important business processes and during the risk assessment data center will be identified one of the important asset itself where where ISMS should spread on it and of course other assets which will be identified on the data center and outside of the data center as well.