Hi. I have some questions with the ISMS scope.
The main company is based in Hong Kong. A subsidy is located in the Philippines. Some staff are hired in the Philippines to work for the main company in Hong Kong via remote work. They mostly have the same access to servers, network, applications and databases as the HK-based staff.
My questions are:
- Do we need to include the Philippine-based staff in the ISMS scope?
- Do we also need to include the Philippine office in the scope? The staff are remote-based but the employee/HR-based paper documents are stored/located in the Philippine office. Which means, physical protection (door lock, cabinet lock, cctv) need to be in place?
Assign topic to the user
1 - Do we need to include the Site B-based staff in the ISMS scope?
I’m assuming you are considering the certification for Site A.
Considering that, from your description, the Site B-based staff can be considered outsourced personnel for Site A, so they do not need to be included in the ISMS scope.
2 - Do we also need to include the Site B office in the scope? The staff are remote-based but the employee/HR-based paper documents are stored/located in the Site B office. Which means, physical protection (door lock, cabinet lock, cctv) need to be in place?
Please note that Site B only needs to be included in the ISMS scope if it handles or stores information included in Site A's scope. If this is not the case, there is no need to include Site B in the ISMS scope.
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
This material will also help you regarding the scope definition:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
Comment as guest or Sign in
Mar 03, 2023