Expert Advice Community

Guest

ISMS Scope - remote working

  Quote
Guest
Guest user Created:   Sep 18, 2020 Last commented:   Sep 18, 2020

ISMS Scope - remote working

1 - A question on ISMS scope and 3.3 Locations in your toolkit template. Due to covid we no longer have a physical office, it may be that we never return to having one as we mainly all worked remotely in any case. We have 6 people in our business, but 4 remote working locations. For the purposes of ISO27001, are those 4 remote working locations to be in scope for our ISMS? I think the answer is no because we are a SAAS company and your webinar on ISMS scope said that SAAS cloud companies did not need to look at HW or SW, just their data. 2 - However, what about operational controls to ensure information and data such as passwords are not left lying around? An imposter could in principle log on and get into our system.  Would we need a tidy desk policy or something like that so that no paper passwords or client data/information is on note pads or left out. How would you actually enforce that with remote working? Perhaps a risk you chose to acknowledge but not do anything about as you can’t enforce a locked room in someone’s home. Not sure what other companies are doing on this point now that everyone is working from home. Should we be saying that employees log out when they go away from their computer? Should we be keeping a record of when an employee signs in and signs out of their device or applications on that device? We value our flexibility and don’t want to upset our culture by having a big brother approach to how we work and operate.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 18, 2020

1 - A question on ISMS scope and 3.3 Locations in your toolkit template. Due to covid we no longer have a physical office, it may be that we never return to having one as we mainly all worked remotely in any case. We have 6 people in our business, but 4 remote working locations.

For the purposes of ISO27001, are those 4 remote working locations to be in scope for our ISMS? I think the answer is no because we are a SAAS company and your webinar on ISMS scope said that SAAS cloud companies did not need to look at HW or SW, just their data.

Your assumption is correct. Regarding remote workers, normally you do not control the environment where they are, so these are kept out of the scope.

These articles will provide you a further explanation about defining scope:

2 - However, what about operational controls to ensure information and data such as passwords are not left lying around? An imposter could in principle log on and get into our system.  Would we need a tidy desk policy or something like that so that no paper passwords or client data/information is on note pads or left out. How would you actually enforce that with remote working? Perhaps a risk you chose to acknowledge but not do anything about as you can’t enforce a locked room in someone’s home. Not sure what other companies are doing on this point now that everyone is working from home.

Should we be saying that employees log out when they go away from their computer? Should we be keeping a record of when an employee signs in and signs out of their device or applications on that device? We value our flexibility and don’t want to upset our culture by having a big brother approach to how we work and operate.

In such cases with remote workers, you treat remote access as a risk in your assessment, and treat the unacceptable risks by means of controls from section A.15 - Supplier relationships (e.g., by using contracts and terms of service to enforce security practices).

This article will provide you a further explanation about the scope definition and supplier management:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 18, 2020

Sep 18, 2020

Suggested Topics