ISO 27001 - Context of Organization
Does ISO 27001 say that organizations have to understand internal and external issues, interested parties and their requirements, when defining the ISMS scope? Is it correct to say "YES"? Or the understanding has to take place BEFORE and not DURING or WHEN ?
Assign topic to the user
ISO 27001 clause 4.3 (Determining the scope of the information security management system) requires an organization to consider the following when defining the ISMS scope:
- relevant internal and external issues to the organization’s purpose and which can impact, or be impacted, by the ISMS intended results
- requirements of interested parties
- interfaces and dependencies between activities that are and are not considered for the ISMS scope
For considering something you need to understand that thing, but the standard does not define when this information needs to be gathered and understood, but as soon as it is available, the faster you will be able to define an ISMS scope that is relevant and integrated to organizations operations.
These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Dec 17, 2020