Assign topic to the user
Answer: First of all, ISO 27001 cannot be used to certify products. This standard can be used to certify an organization's Information Security Management Systems, regarding processes, organizations units and locations. That said, your assumption is correct when considering that you can have a limited scope, defining your Information Security Management System in terms of the software development process used to deliver the product, as means to ensure to your customers that the required information security measures are identified, included and maintained in the software. But you should also note that limiting the scope doesn't make sense for smaller companies, since it will require greater effort than managing the security considering the whole organization.
This art icle will provide you further explanation about ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding ISMS scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 17, 2017