ISMS scope question
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Answer: The email service should not be included in your scope since you cannot control it. However, some of the data that will be sent through this email service will be included in the scope - basically, when you define the ISMS scope you should define which data is included in the scope.
Or, I cannot control all aspects of my employee's remote offices, but I plan on writing a policy based on telecommuting best practices, and how to secure everything from our company's physical assets (ie. lock laptop when in public places) to installing latest anti-virus , etc....but I won't include policies on how to configure their wireless network or to segment it via their own firewall, because they VPN into all the secure networks--so would my employee's remote offices be included in scope or not?
Answer: I don't think it is a good idea to include remote offices in the scope because you don't have direct control over them. But yes, you should define the rules on how the work they perform in these offices is to be protected.
This article might also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Comment as guest or Sign in
May 25, 2016