ISMS - In scope or out of scope
Assign topic to the user
Some information is missing for providing a direct answer, so I’ll provide one considering two possible scenarios.
In case your company is a small one (i.e., up to 50 employees), it is better to include all your organization in the ISMS scope because the effort to separate elements that are inside the scope from that outside it wouldn’t be worthy.
In case your company has more than 50 employees, you should evaluate if keeping Sales and Marketing separated from the other divisions is worthy (you would have to treat them like external parties, for which you need to implement controls to separate them from the ISMS scope, at the same time you need to provide access to information in the ISMS scope they need).
This problem is described in detail in this article:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Comment as guest or Sign in
Jun 15, 2021