ISO 27001 Scope change
We are coming up for re-certification this year for ISO27001. We were all in an office in *** but since the pandemic we have all been given new contracts and are permanently WFH now. Since the scope only contained services and company owned hardware at the *** Office, this cannot stay as is. I was wondering if I was to change the scope to say "Company owned assets"? If I was to change this will it exclude home routers etc., or will I need a new policy for updating home security devices? We have many layers of security in place, including encryption, MFA, conditional access policies etc. Just looking to make the scope correct for the new world we find ourselves in.
Assign topic to the user
Please note that if all employees are accessing from home the same services and company-owned hardware they accessed when they worked in the company, then the ISMS scope does not need to be changed.
The use of personal devices to access company’s services and owned hardware from home can be handled by means of identification of relevant risks related to the use of personal devices and to remote access, which can be treated by means of controls such as A.6.2.1 Mobile device policy, A.6.2.2 Teleworking, and A.13.2.1 Information transfer policies and procedures.
The use of company’s owned hardware by employees from their homes can be handled by means of identification of relevant risks related to telework, which can be treated by means of controls such as A.6.2.1 Mobile device policy, A.6.2.2 Teleworking, and A.11.2.6 Security of equipment and assets off-premises
To see how policies covering these controls look like, please take a look at these free demos:
- Bring Your Own Device (BYOD) Policy https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
- Mobile Device and Teleworking Policy template: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
These articles will provide you a further explanation about teleworking:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
- What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/
These materials will also help you regarding teleworking:
- Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home?.
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Mar 15, 2021