ISMS Scope Extension

It is possible to extend your ISMS scope.

You should treat this scope extension as an implementation project with some adjustments:

1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the extended scope organizational context and requirements of interested parties

2) review of risk assessment and treatment methodologies, to see if the extended scope requires these to be adjusted

3) review the risk assessment and define the updated risk treatment plan

4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new scope context

5) people training and awareness

6) controls operation

7) performance monitoring and measurement

8) perform internal audit

9) perform management critical review, and

10) address nonconformities, corrective actions, and opportunities for improvement.

These articles will provide you with additional information:

• Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options
• ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Hi Rhand Leal

Thanks for the reply. I will be considering all what you have mentioned. But that will be applicable to my existing scope which is IT dept. How I should implement the ISMS in say example , finance dept.. Since we are have ISMS requirement and controls which are already applied for IT dept. and IT in any organization hold all information and information processing infrastrcuture. Since ISO 27001 is mainly talking about information in its digital form and controls to protect it ( Annex A) , what are the controls and requirement that we implement in other dept.( like finance).

If I go to finance and I will say for example , I want to implement ISMS in your dept. , they will say , we have all information and processing in IT Systems and we deal with very minimal information which is on paper as hardcopy. Since IT hold all information in their systems , finance dept. has no repository to store data. All information is in IT systems.

The above will be the answer from finance. In this case how to approch? How should I proceed with finance dept. ISMS? Please provide some example to illustrate.

thanks

Hello Bills.

I will attempt to try and answer your question.

ISO27001 talks about information in all its form; on paper, spoken and digital - not just digital.

In your revised risk assessment you might want to involve Finance Dep. representatives to try to identify information security risk that might be relevant for the Finance Dep. They might have requirements from financial auditors on how they handle accounting records and how they protect it - just that could be both a Compliance risk and an Operational Risk.

Even if digital information is stored in IT assets, IT does not own the financial data, they merely support the Finance Dep in their business process. The Finance Dep. is ultimately responsible for the financial data. Therefore, for e.g. the Head of Finance. is the appropriate Risk Owner for treating risk tied to financial data and to provide resources to treat risk. IT can implement technical controls, but Data Owners are normally the business functions. Ownership and responsibility for data cannot be pushed to IT - this is a common misconception from business functions.

Controls that are relevant for Finance Dep. can also be that they need to attend the security awareness training to reduce risk of them clicking on malicious links, or accidentally transferring money to a hacker performing social engineering (for e.g. Business E-mail Compromise).

For e.g. one regulatory requirement could be to ensure that there needs to be backups of financial data, and that these backups are tested to ensure that financial data can be restored. IT might perform the backups for Finance Dep. but it is Finance Dep. responsibility to provide adequate budgeting so that IT Dep. can do this (and reduce risk of losing financial records if something happens to the production servers).

Other things can be that they restrict access to financial records, privileged user roles in ERP system to reduce risk of manipulated financial records.This might also be that they need to perform access review on a regular basis and that they need to have an approval process before users are granted access to ERP system.

Change management control needs to be in place for changes introduced to the ERP system to reduce risk of accidentally corrupting financial records when new features are pushed into production and planned maintenance to not disrupt during critical periods (for e.g. during month closing period).

I would suggest to have a look at Annex A and think what controls could be relevant to Finance Dep (and of course, other departments in a similar fashion) to reduce risk.

Please note that the steps mentioned in the previous answer are still valid for the implementation of the ISMS in any other department of your organization.

There are many security-related activities that need to be performed in non-IT departments - e.g., physically protecting the laptops and mobile phones, protecting the documentation in paper form, approving access to department-specific information systems, etc. All of these will be detected as part of risk assessment, and then you will be able to determine which security controls will be required for such a non-IT department.

Thanks Rhand

I appreciate your reply and I got the idea now. Let me pendown it as below. Please review and correct me if not correct

So if my scope now is finance dept. (for example) , I would perform following activities as part of implementation( High Level):

1. Information Asset Register------> This will consists of all the information assets which lie in the finance dept. like laptops, desktops, printers,paper documents, cabins and draws holding paper information, applications like ERP/SAP, its access control,people assets like skilled staff, faciclity like the department working area, suppliers, HVAC,etc.

2. Risk Assessement Register-----> As the information assets are identified in step1, now its time for the identification of risks for those information assets and analyze and evaluate the risk and come up with the risk. Based on the risk score , controls will be applied from Annex A.

3. Apply controls from annex A----> This part i have doubt , since finance dept. is non technical and annex A controls are technical controls , how the risk owner( finance manager) will be able to understand the controls and then apply them unless IT dept. is assisting him. I need some clarfication in this part. Who will select Annex A controls for finance dept.?

4. SOA for Finance: Do I need another SOA for finance dept. ? I have SOA for IT dept. and IT is already certified for ISMS. Do I need to have another SOA for finance dept. as well? Please advise

The above 4 steps which I mentioned are correct to start the implementation in finance dept. ( for example). Rest of the things in standards , I can understand them as part of already implemented ISMS in IT.

Thanks

First is important to note that the steps you mentioned are related to information security risk management and before you need to perform first the evaluation of organizational context from the finance dept. point of view, so you can identify business and legal requirements that may impact this new element of your scope.  

The best course of action is for you to follow the implementation steps explained in a previous answer, only to ensure you do not forget any step. In case you identify that a step does not rise changes in your ISMS (e.g., review of organization structure), you can simply skip it.

Regarding step 3, please note that only part of Annex A controls is technical (for example, controls from section A.6.1 Internal organization are administrative controls).

Considering that, the main role of the risk owner is to ensure that risks are properly managed. This person does not need to define all the controls by himself. He can count on the support of experts from his own area (e.g., a process key user), or from other areas (e.g., IT department) to help him define which controls to apply.

For further information, see:

• Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

Regarding step 4, you do not need another SoA. Since you are extending the certification scope, a single SoA is sufficient.