Expert Advice Community

Guest

ISMS scope change

  Quote
Guest
Guest user Created:   Oct 28, 2019 Last commented:   Oct 28, 2019

ISMS scope change

1. If a company has been ISO27001 certified over the last couple of years and the scope is for say Datacenter facility Mgt/Infra/Network Services, Managed Security Services, Operations Support - covering server, Helpdesk, etc and now due to changes in the organization, say, one of the area MSS has been moved to a centralized function under their regional HQ, is the existing ISO27001 certification still valid? 2. If not why? If yes, why? 3. What can be done to minimize a recertification? 4. Can a surveillance audit still proceeds?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 28, 2019

1. If a company has been ISO27001 certified over the last couple of years and the scope is for say Datacenter facility Mgt/Infra/Network Services, Managed Security Services, Operations Support - covering server, Helpdesk, etc and now due to changes in the organization, say, one of the area MSS has been moved to a centralized function under their regional HQ, is the existing ISO27001 certification still valid?

The ISO 27001 certification would be still valid for the scope that remains under control of the company (i.e., the MSS would not be part of the ISMS scope anymore). This change in the ISMS scope needs to be need to informed to the certification body.

2. If not why? If yes, why?

A change in the ISMS scope is something expected during a certification life cycle and this situation does not make it invalid, provided that the new scope still fulfills all requirements of the standard.

3. What can be done to minimize a recertification?

Since the certificate is still valid, there is no need for recertification.

4. Can a surveillance audit still proceeds?

The surveillance audits can proceed normally. You only have to inform this situation to the certification body so they can review the surveillance audit schedule. In this situation, you have to evaluate the impacts of the change in the scope and make proper adjustments in the ISMS (e.g., risk assessment, risk treatment, SoA, etc.).

Please note that one adjustment is also to create an agreement with the new "provider" of the MSS, i.e. the regional HQ. 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 28, 2019

Oct 28, 2019

Suggested Topics