Inquiry about the following ISO27001 controls
Assign topic to the user
1. Physical office security for site 1:
Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent).
If the site 1 office does not contain highly sensitive information, and if the people from this site have only restricted access to offices within the scope, then you can exclude office 1 from the scope.
For further information, see:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes
In case the parent company acts as a service supplier accessing information your ISMS needs to protect (i.e., information included in the ISMS scope), then you need to treat this parent company as a supplier, and controls applicable to suppliers need to be applied, but please note that in this case, the agreements signed with such "suppliers" do not need to be fully formal (i.e., instead of full formal contracts you can use something like internal memos).
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
May 26, 2022