BLACK FRIDAY DISCOUNT
Get 30% off on toolkits, course exams, Conformio, and Company Training Academy yearly plans.
Limited-time offer – ends December 2, 2024
Use promo code:
30OFFBLACK

Expert Advice Community

Guest

ISO 27001 Clause 4 - Scope

  Quote
Guest
Guest user Created:   Sep 08, 2023 Last commented:   Sep 13, 2023

ISO 27001 Clause 4 - Scope

In respect of scope location, would you include remote working eg coffee shop/airport? I would like to include homeworking, but I feel ad-hoc remote working may be a step too far in the scope. What would be best practice here please?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 08, 2023

Since you do not control the environment where the remote workers do their work, typically you would exclude from the ISMS scope their home office, coffee shops, or other places where they work. You would include in the ISMS scope the things that you can control: the employees, and their hardware (if they use company's computers and smart phones). 

This article will provide you with further explanation about defining scope:

All you need to know about setting the ISO 27001 scope

This tool may also help you

Tool for defining the ISO 27001 ISMS scope

Quote
0 0
Guest
VkkdkVi Sep 09, 2023

At the time of Stage 1 Audit, Auditor finds that ISMS Scope documentation of client lists all locations ( Country Names and address) , all departments ( with names of dept including Sales, and Marketing), All business activities ( lists them one by one), and includes all staff as per the ISMS Scope document. However, The Audit Application Form provided to the Certification Authority mentions that ISMS Scope excludes Sales, and Marketing department and people belong to them. Is it possible to have actual ISMS Scope within the organization includes all the departments including Sales, and Marketing but Certification Authority Audit scope excludes Sales, and Marketing department. How Auditor should treat this in Stage 1 Audit? Is this Minor Non Conformity, Major Non Conformity, Observation, or absolutely normal matter?

Quote
0 0
Expert
Rhand Leal Sep 13, 2023

The company’s ISMS scope can be different from the certified ISMS scope (i.e., the certified ISMS scope can be only part of the actual ISMS scope).

Considering the difference, the certification auditor can proceed with the certification audit considering only the initial scope defined in the Audit Application Form (Sales and Marketing departments will not be audited). In case of a successful audit, only the scope defined in the Audit Application Form will be considered certified.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 07, 2023

Sep 13, 2023

Suggested Topics

Guest user Created:   Jul 15, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISMS SCOPE DOCUMENT

Guest user Created:   Feb 28, 2022 ISO 27001 & 22301
Replies: 1
0 0

Clause 4.3: ISMS scope