Expert Advice Community

Guest

ISMS implementation

  Quote
Guest
Guest user Created:   Jun 23, 2021 Last commented:   Jun 23, 2021

ISMS implementation

Hi, we are a software development company that is on its way to plan for isms implementation. I have a couple of specific questions about the definition of the scope of the ISMS.

We would like the scope of the ISMS to be the whole organization. We are not going to leave any parts, units, services that are internal outside of the scope. I have noticed that there is some granularity to the specific items of the scope. In the course videos you provide it wasn't this way.

1. Processes and services. Should I write about each service and each process specifically as part of the whole business model. Example : Managed Service Provider Service and all its processes Software Development Service and all its processes Software Support Service and all its processes Cloud Infrastructure Consulting Service and all its processes OR May I just put something more general that points to the idea that all the organizational business and processes are in the scope. A broader definition might be open to interpretation, but we really want the whole organization to be covered by the security benefits of having an ISMS in place. Example : Every service and process that is a part of the organization and its business is included in the scope.

2. Organizational units May I just get away with putting down that the whole organization and all organizational units are included in the scope. Do I need to define organizational units if I am not going to leave any of them out of the scope ? Would an auditor be OK with that definition and would he/she understand that the whole organization is covered by the ISMS ? The problem is that the organization is fairly fluid and ever-moving and changing in regards to units and departments. This doesn't mean that people that are responsible for certain things are not appointed. Everything is logged, double checked and audited, but it would be a bit difficult to channelize every organizational aspect into a department or a unit.

3. Network and IT infrastructure This one seems really tricky for me. A lot of our IT infrastructure is ever-changing so to speak of - networks, devices, services are constantly added, removed, migrated, changed. If I need to list every piece of IT infrastructure and network that would be an Inventory of Assets of its own. So the question is - when I've actually done the work to mark every piece of data in the Inventory of Assets do I need to relist everything under the "Networks and IT infrastructure" as well ? May I just put in something showing the general concept of ISMS coverage ( i.e everything ). Would a definition like "All networks and IT infrastructure that are located in the ( and here I would just specify the location )" is a part of the scope. Our IT infrastructure is only in one physical location and also the cloud. We are using the IaaS model and sometimes PaaS as a model. In this regard I would list those in the supplier policies and not in the scope.

0 1

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 23, 2021

1. Processes and services. Should I write about each service and each process specifically as part of the whole business model. Example : Managed Service Provider Service and all its processes Software Development Service and all its processes Software Support Service and all its processes Cloud Infrastructure Consulting Service and all its processes OR May I just put something more general that points to the idea that all the organizational business and processes are in the scope. A broader definition might be open to interpretation, but we really want the whole organization to be covered by the security benefits of having an ISMS in place. Example : Every service and process that is a part of the organization and its business is included in the scope.

Since your whole organization is part of the ISMS scope, you can use a text identifying your core business and including business management and supporting processes. Something like: Software development processes and their related supporting processes, and business administrative processes.

2. Organizational units May I just get away with putting down that the whole organization and all organizational units are included in the scope. Do I need to define organizational units if I am not going to leave any of them out of the scope ? Would an auditor be OK with that definition and would he/she understand that the whole organization is covered by the ISMS ? The problem is that the organization is fairly fluid and ever-moving and changing in regards to units and departments. This doesn't mean that people that are responsible for certain things are not appointed. Everything is logged, double checked and audited, but it would be a bit difficult to channelize every organizational aspect into a department or a unit.

Since your whole organization is part of the ISMS scope, then you can only state that the whole organization is in the scope.

3. Network and IT infrastructure This one seems really tricky for me. A lot of our IT infrastructure is ever-changing so to speak of - networks, devices, services are constantly added, removed, migrated, changed. If I need to list every piece of IT infrastructure and network that would be an Inventory of Assets of its own. So the question is - when I've actually done the work to mark every piece of data in the Inventory of Assets do I need to relist everything under the "Networks and IT infrastructure" as well ? May I just put in something showing the general concept of ISMS coverage ( i.e everything ). Would a definition like "All networks and IT infrastructure that are located in the ( and here I would just specify the location )" is a part of the scope. Our IT infrastructure is only in one physical location and also the cloud. We are using the IaaS model and sometimes PaaS as a model. In this regard I would list those in the supplier policies and not in the scope.

Considering your context, the proper definition here is the one you thought “All networks and IT infrastructure that are located in the <location>”.

This article will provide you a further explanation about defining scope:

This material can also help with defining scope:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 23, 2021

Jun 23, 2021