ISO 27001 - exclusion of personal devices in the ISMS scope
Assign topic to the user
You should include personal devices only if your company can have full control over them.
In case it is not possible to have such kind of control, you should keep them out of the scope. In this situation, the security rules for these devices must be regulated by means of agreements with employees who are using them.
Regarding the external auditor, he is not the one to define if risks are high for the company or not. This is the purpose of the risk assessment process. The auditor will only check if you performed the processes properly and if you have proper justification (i.e., risk assessment) for your decision to use or not an asset.
These articles will provide you a further explanation about ISMS scope and risk assessment:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Comment as guest or Sign in
Feb 03, 2022