SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

ISO 27001 - exclusion of personal devices in the ISMS scope

  Quote
Guest
Guest user Created:   Feb 03, 2022 Last commented:   Feb 03, 2022

ISO 27001 - exclusion of personal devices in the ISMS scope

In the ISMS scope document, I initially removed the usage of personal devices for the business (like using our own phones to access emails) from the ISMS scope. But finally, I wonder whether this is a good idea, and if we do not take the risk an external auditor would argue that using personal devices is a high risk for the company. What would you suggest ?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 03, 2022

You should include personal devices only if your company can have full control over them.

In case it is not possible to have such kind of control, you should keep them out of the scope. In this situation, the security rules for these devices must be regulated by means of agreements with employees who are using them.

Regarding the external auditor, he is not the one to define if risks are high for the company or not. This is the purpose of the risk assessment process. The auditor will only check if you performed the processes properly and if you have proper justification (i.e., risk assessment) for your decision to use or not an asset.

These articles will provide you a further explanation about ISMS scope and risk assessment:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 03, 2022

Feb 03, 2022