We are struggling with the scope policy, we have a department within our company called IT Solutions that will be providing some services to support the XXXX. We are certifying XXXX but as we state in our scope organizational unit paragraph there are dependent departments that provide services to support *** but are not part of *** organizationally. We did not initially include IT Solutions department in our Organizational Unit section but now are in disagreement whether they should be added to this section or not.
1 - Is it essential that we name any organizational unit that provides any kind of service to our *** organization?
"2. Organizational units
*** will be the organizational unit in scope, with that unit there are several external units/departments that provide dependent supportive services to include Security and Compliance, Support, Engineering, Human Resources, Compliance, Legal, *** Admin, and IT Services."
2 - If we include that department what impact will this have on the certification?
Assign topic to the user
1 - Is it essential that we name any organizational unit that provides any kind of service to our *** organization?
"2. Organizational units *** will be the organizational unit in scope, with that unit there are several external units/departments that provide dependent supportive services to include Security and Compliance, Support, Engineering, Human Resources, Compliance, Legal, *** Admin, and IT Services."
Answer: Unless they are part of the ISMS scope, dependencies to other business units, or to external providers, do not need to be included in the ISMS scope document (please note that the ISMS scope is not a policy). They need to be identified during the risk assessment and risk treatment process, so proper controls to protect the information in the ISMS scope they have access to are protected.
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
2 - If we include that department what impact will this have on the certification?
Answer: When you include a new department in the scope, you need to evaluate how it impacts information security and make required adjustments.
For organziations already certified (and only in that case), it is also needed to inform the certification body about the changes, so they can evaluate if the surveillance audits need to be changed to certify the new scope.
Comment as guest or Sign in
Aug 11, 2020