ISMS scope - Not interested in ISO27001 accreditation
This is the first phase of ISO27001 for us. We dont plan on seeking certification but interested to align our environment to ISO27001.
Is it complusary to done a scope? Can we just go about implementing ISO27001 for our whole environment. We are a small orgnisation but getting bigger.
The idea is to initially implement ISO27001 framework orgnisation wide so when we expend we have good practices in place that will allow us to build on (expand on)
Do you see any risk/concerns with this approch? Is there a better way to go about? What are your recommendation?
Assign topic to the user
Even if you are not going for certification right now, you should consider defining a scope, because this will guide you on where to apply the ISO 27001 practices.
The good news is that for small organizations, up to 50 employees, the best approach is to define the whole organization in the ISMS scope.
These articles will provide you a further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding defining scope:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Thanks Rhand for the detailed information. Does it make any difference if the organisation size is 90 + employee and will be having 3 more subsideries in next 5 months, can we still define the whole organisation in the ISMS scope. If we do consider to define the whole organisation in scope, do you have any recommendations? Or shall we break it up into critical systems
You can still define the whole organization in the ISMS scope, but in cases where you have physically separate sites, the most common approach, for those which goes for certification, is to separate the scope by sites (ISO 27001 accepts scope definition in terms of location, processes, business units, or information). This way, in case a site is not compliant, it does not affect the certification in the other sites.
Since you are not going for certification at this moment, you should evaluate the costs and effort involved in both approaches (i.e., centralized and decentralized scope).
Comment as guest or Sign in
Jun 03, 2020