left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

ISMS scope

  Quote
Guest
Guest user Created:   Jun 07, 2022 Last commented:   Jun 07, 2022

ISMS scope

Hope you are doing well. This is ***, one of the participants during the yesterday’s webinar - ISO 27001/ISO 22301: The certification process. At this point I would like to express my great thanks and appreciation to you, because without your free ISO27001 courses and free webinars I wouldn't be right now in my company's ISO27001 project team. The reason I'm writing to you now is because I'd like to hear your input on a discussion I had just 2 days during our ISO 27001 Implementation meeting here in the company where I work. Based on the defined ISMS scope , primarily we need to prepare for now, only the IT Department for ISO27001 certification. (Afterwards we shall continue with other departments, currently the urgent need is the IT, where I ' m also a member of as a system/network/security engineer). The project team consists of 6 people. Yesterday during the discussion, all other 5 members were insisting that there is no need to cover any section from ISO 27001 – Annex A.7: Human Resource Security, while me, from the other hand I was trying to convince them that yes, definitely we need to cover this control not only because is part of the Annex A but because is directly related with IT areas as well. It was impossible to convince them, they still insist that the ISMS scope and the certification goal is the IT, not the HR. And now I'm wondering, indeed they are right and I'm wrong?  I'm really confused and for sure i do not want to make any bad impression just from the very first beginnings. Your insights are valuable, and your assistance/guidance as always are greatly meaningful to me dear Dejan. Thank you.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 07, 2022

Please note that the decision about including or excluding controls needs to be based on the results of risk assessment and applicable legal requirements, and it seems neither of you took these into consideration.

So, our recommendation for your team is to see first which risks and legal requirements are relevant to your scope, and based on them identify which controls are applicable.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 07, 2022

Jun 07, 2022