Are internal depts providing services to an ISMS scope, but not part of the scope managed as 3rd party suppliers
My specific question is actually regarding asset ownership for assets in a 27001 scope which is a business unit in a company and not the entire company. How are asset owners addressed/managed if they are actually working in a business unit external to the scope. For example, IT assets used within scope, however, they are owned by a Group IT function? I do hope this makes sense?
Assign topic to the user
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now 
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now
Your example scenario (IT assets used within scope, but owned by a Group IT function) is a common situation when the ISMS scope covers only part of the organization, so it does perfect sense.
In cases like this one, as well as on any other case when an entity outside the ISMS scope (e.g., another department, a contractor, etc.) has a relationship with elements inside the scope, they can be seen and treated as a 3rd party supplier.
These articles will provide you a further explanation about ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Comment as guest or Sign in
Apr 29, 2020