Hello All,
I have a question regarding ISO 27001: Section 4. I'm reviewing opportunities of improvement, and the assessor quotes "their needs and expectation towards information does not evident in detail in the aforesaid scope document." In section 4.2, i identified the interested parties as shareholders, employees, contractors, third party vendors, customer user groups, local federal / regulatory organizations and emergency service. In section 4.3, do i need to identify those interested parties in the document? I i only mention the scope as stated in the certificate.
According to ISO 27001, you do not need to identify interested parties in the scope document, only to consider them when defining the scope. Without knowing the scope statement I cannot provide you a specific answer, but besides interested parties identification, on clause 4.2 you also have to determine the needs and expectations (called "requirements") of these interested parties relevant to information security, because the interested parties requirements also have to be considered when defining the scope.
In fact, according to control A.18.1.1 (Identification of applicable legislation and contractual requirements) it is mandatory to list all the requirements of interested parties. Since you identified the interested parties, the assessor may have expected you to present their requirements too, or at least a reference to the document where this information can be found (an organization can choose whether to list this in a separate document, or within the ISMS Scope document).
These articles will provide you further explanation about scope and interested parties requ irements:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- How to identify ISMS requirements of interested parties in ISO 27001
These materials will also help you regarding scope and interested parties requirements:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Sep 19, 2017