Expert Advice Community

Guest

ISMS scope question

  Quote
Guest
Guest user Created:   May 25, 2016 Last commented:   May 25, 2016

ISMS scope question

As a software development company, our most important asset to protect is all customer information that flows through our networks, and that of our employees & subcontractors (who are all telecommuters). I am trying to decipher what precisely I include as part of my scope..for instance, I cannot control the security of the GoDaddy email services that we use, but I will include an "Email Policy" for all employees and subcontractors to ensure that sensitive data sent via email is properly handled. Because I plan on writing an email policy, would "email" be considered in scope"?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic May 25, 2016

Answer: The email service should not be included in your scope since you cannot control it. However, some of the data that will be sent through this email service will be included in the scope - basically, when you define the ISMS scope you should define which data is included in the scope.

Or, I cannot control all aspects of my employee's remote offices, but I plan on writing a policy based on telecommuting best practices, and how to secure everything from our company's physical assets (ie. lock laptop when in public places) to installing latest anti-virus , etc....but I won't include policies on how to configure their wireless network or to segment it via their own firewall, because they VPN into all the secure networks--so would my employee's remote offices be included in scope or not?

Answer: I don't think it is a good idea to include remote offices in the scope because you don't have direct control over them. But yes, you should define the rules on how the work they perform in these offices is to be protected.

This article might also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 25, 2016

May 25, 2016