Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

ISO scope

  Quote
Created:   Aug 11, 2020 Last commented:   Aug 11, 2020

ISO scope

We are struggling with the scope policy, we have a department within our company called IT Solutions that will be providing some services to support the XXXX.  We are certifying XXXX but as we state in our scope organizational unit paragraph there are dependent departments that provide services to support ***  but are not part of ***  organizationally.   We did not initially include IT Solutions department in our Organizational Unit section but now are in disagreement whether they should be added to this section or not.

1 - Is it essential that we name any organizational unit that provides any kind of service to our *** organization?  
"2. Organizational units 

***  will be the organizational unit in scope, with that unit there are several external units/departments that provide dependent supportive services to include Security and Compliance, Support, Engineering, Human Resources, Compliance, Legal, *** Admin, and IT Services."

 2 - If we include that department what impact will this have on the certification?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 11, 2020

1 - Is it essential that we name any organizational unit that provides any kind of service to our *** organization?  
"2. Organizational units ***  will be the organizational unit in scope, with that unit there are several external units/departments that provide dependent supportive services to include Security and Compliance, Support, Engineering, Human Resources, Compliance, Legal, *** Admin, and IT Services."

Answer: Unless they are part of the ISMS scope, dependencies to other business units, or to external providers, do not need to be included in the ISMS scope document (please note that the ISMS scope is not a policy). They need to be identified during the risk assessment and risk treatment process, so proper controls to protect the information in the ISMS scope they have access to are protected.

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

 2 - If we include that department what impact will this have on the certification?

Answer: When you include a new department in the scope, you need to evaluate how it impacts information security and make required adjustments.

For organziations already certified (and only in that case), it is also needed to inform the certification body about the changes, so they can evaluate if the surveillance audits need to be changed to certify the new scope.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 11, 2020

Aug 11, 2020

Suggested Topics

Guest user Created:   Jan 20, 2022 ISO 27001 & 22301
Replies: 1
0 0

Data center questions

Guest user Created:   May 07, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment

Guest user Created:   Jul 28, 2018 ISO 27001 & 22301
Replies: 1
0 0

Changes in scope