Expert Advice Community

Guest

ISO 27001 scope

  Quote
Guest
Guest user Created:   Jun 12, 2020 Last commented:   Jun 12, 2020

ISO 27001 scope

1. We use a third party to provide infrastructure for our product (Installation sits on an AWS Server). On the Scope document, what would we put under “Location” for these servers that are provided by a third party?

2. What would we count as our assets regarding these servers that are provided by a third party? These servers are accessed by our staff to do our work using any laptop that is available to us, provided that the IP is cleared by our CTO to access the servers

3. Do we need to reference anything from the Third Party provider? Where will it be referenced in the ISMS?

4. Can you give examples on how regulations, like GDPR, translate into a policy or procedure – like a specific rule in the Information Security Policy Document. I just want to see an example of the wording pattern in a policy where a regulation is referenced.

5. Let’s say the scope of ISMS for now applies to the Services that we provide that are hosted in a third party provided server. What would be examples to exclude?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 12, 2020

1. We use a third party to provide infrastructure for our product (Installation sits on an AWS Server). On the Scope document, what would we put under “Location” for these servers that are provided by a third party?

Please note that under “Location” you need to include only your premises locations, not those of your providers. Regarding the infrastructure you mentioned, you only need to specify them and explain they are provided by a third party under "Networks and IT infrastructure", so this information can be used during the other phases of the implementation (e.g., risk assessment and risk treatment).

For further information, see:

2. What would we count as our assets regarding these servers that are provided by a third party? These servers are accessed by our staff to do our work using any laptop that is available to us, provided that the IP is cleared by our CTO to access the servers

The proper approach will depend on the level of control you have over these servers:

  • if you need to operate and maintain the servers (i.e., the provider only offers the virtual machines), you should count as assets the servers themselves
  • if you only use the servers (i.e., the provider operates and maintains the servers), it is better to count them as a single service

For further information, see:

3. Do we need to reference anything from the Third Party provider? Where will it be referenced in the ISMS?

The relation with Third-Party providers should be referenced primarily in the List of legal, regulatory, and contractual requirements, identifying the contracts or agreements signed with them (so the organization is aware of what needs to be considered). They can also be referenced in the risk assessment and risk treatment process (where you can identify relevant risks related to them and define proper treatment).

4. Can you give examples on how regulations, like GDPR, translate into a policy or procedure – like a specific rule in the Information Security Policy Document. I just want to see an example of the wording pattern in a policy where a regulation is referenced.

Please note that legal requirements (e.g., laws, regulations, or contracts) should not be directly translated into policies or procedures (this approach would quickly turn the documents into a mess).

The adopted approach in our toolkit is to list the relevant legal requirements in the List of Legal, Regulatory, Contractual and Other Requirements template, located on folder 02 Identification of Requirements, and from this list, identify which controls from Annex A must be applied (this identification is made in the Statement of Applicability, located on folder 06 Applicability of Controls).

With this approach, aligning the legal requirements with controls first, we ensure that legal requirements that will use the same controls are under the same general text we already developed, compliant with the standard, and you will only need to include specifics (e.g., references to technologies and activities) as needed (the parts of the text that requires customization are identified in the templates).

For example, GDPR article 32 requires companies to use (where appropriate) pseudonymization and encryption of personal data. In this case, controls from section A.10 A.10 Cryptography are applicable, and in the related document, Policy on the Use of Encryption, located on folder 08 Annex A Security Controls >> A.10 Cryptography you only need to specify elements like "Name of the system", "Cryptographic tool", "Encryption algorithm", and "Key size"

5. Let’s say the scope of ISMS for now applies to the Services that we provide that are hosted in a third party provided server. What would be examples to exclude?

Since you are referring only to your provided services, an example of a scope exclusion would be the organization's administrative departments. Since exclusions of the ISMS scope will depend on the organization's objectives, without more detailed information, it is not possible to provide a more detailed answer.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 12, 2020

Jun 12, 2020

Suggested Topics

Guest user Created:   Mar 10, 2019 ISO 27001 & 22301
Replies: 1
0 0

Scope template

Guest user Created:   Feb 22, 2018 ISO 27001 & 22301
Replies: 1
0 0

Scope definition