ISMS scope change
Assign topic to the user
1. If a company has been ISO27001 certified over the last couple of years and the scope is for say Datacenter facility Mgt/Infra/Network Services, Managed Security Services, Operations Support - covering server, Helpdesk, etc and now due to changes in the organization, say, one of the area MSS has been moved to a centralized function under their regional HQ, is the existing ISO27001 certification still valid?
The ISO 27001 certification would be still valid for the scope that remains under control of the company (i.e., the MSS would not be part of the ISMS scope anymore). This change in the ISMS scope needs to be need to informed to the certification body.
2. If not why? If yes, why?
A change in the ISMS scope is something expected during a certification life cycle and this situation does not make it invalid, provided that the new scope still fulfills all requirements of the standard.
3. What can be done to minimize a recertification?
Since the certificate is still valid, there is no need for recertification.
4. Can a surveillance audit still proceeds?
The surveillance audits can proceed normally. You only have to inform this situation to the certification body so they can review the surveillance audit schedule. In this situation, you have to evaluate the impacts of the change in the scope and make proper adjustments in the ISMS (e.g., risk assessment, risk treatment, SoA, etc.).
Please note that one adjustment is also to create an agreement with the new "provider" of the MSS, i.e. the regional HQ.
Comment as guest or Sign in
Oct 28, 2019