Regarding the ISMS Scope Document, For the location, we are a remote company with a virtual address, we have an address for our data center, and if we should include it. Also, what should we exclude? we give laptops to our employees
Assign topic to the user
I’m assuming that you do not own the data center.
Considering that, for certification purposes, you need to define at least one physical location which belongs to the organization. This one can be the address of the CEO's home, or some office rented by the organization for administrative purposes(like the company HQ).
Since you are a remote company, you should define your scope in terms of the data you want to protect (i.e., the physical data center should be excluded, but the data hosted in this data center should be included) and exclude all remote sites.
These articles will provide you with further explanation of ISMS scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
This tool can also help you:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
Comment as guest or Sign in
Oct 21, 2022