ISO 27001 Clause 4 - Scope
In respect of scope location, would you include remote working eg coffee shop/airport? I would like to include homeworking, but I feel ad-hoc remote working may be a step too far in the scope. What would be best practice here please?
Assign topic to the user
Since you do not control the environment where the remote workers do their work, typically you would exclude from the ISMS scope their home office, coffee shops, or other places where they work. You would include in the ISMS scope the things that you can control: the employees, and their hardware (if they use company's computers and smart phones).
This article will provide you with further explanation about defining scope:
All you need to know about setting the ISO 27001 scope
This tool may also help you
At the time of Stage 1 Audit, Auditor finds that ISMS Scope documentation of client lists all locations ( Country Names and address) , all departments ( with names of dept including Sales, and Marketing), All business activities ( lists them one by one), and includes all staff as per the ISMS Scope document. However, The Audit Application Form provided to the Certification Authority mentions that ISMS Scope excludes Sales, and Marketing department and people belong to them. Is it possible to have actual ISMS Scope within the organization includes all the departments including Sales, and Marketing but Certification Authority Audit scope excludes Sales, and Marketing department. How Auditor should treat this in Stage 1 Audit? Is this Minor Non Conformity, Major Non Conformity, Observation, or absolutely normal matter?
The company’s ISMS scope can be different from the certified ISMS scope (i.e., the certified ISMS scope can be only part of the actual ISMS scope).
Considering the difference, the certification auditor can proceed with the certification audit considering only the initial scope defined in the Audit Application Form (Sales and Marketing departments will not be audited). In case of a successful audit, only the scope defined in the Audit Application Form will be considered certified.
Comment as guest or Sign in
Sep 13, 2023