Offshore Requirements

1- I didn't plan to separate offshore vs. domestic work. Is that typical?

By offshore vs. domestic work, I’m assuming that you refer to people that work outside your country of operation (offshore), and people that work in your country of operation (domestic).

Considering that, ISO 27001 does not prescribe how to define the ISMS scope, so organizations can develop it as best as it fits their needs.

It is acceptable to cover work performed in the country of operation and foreign countries in a single scope, and you should make your decision based on the quantity and complexity of the legal requirements related to foreign places you operate.

For example, you may have different requirements related to the protection of information stored and/or processed offshore that you may apply to all your scope, and you can avoid that by defining separated scopes.

2 - Please let me know if these requirements will be fulfilled: I think these would be, but I don't quite understand Incident Response vs. Incident Plan vs. Incident handling - aren't these all covered by the same Policies and Procedures and part of the overall plan? IR-1.1 Develop policies and procedures for Incident Response. IR-6.1 Report security incidents to appropriate personnel or government authorities in a timely manner. IR-8.1 Develop a comprehensive Incident Response Plan for the organization. IR-5.1 Implement mechanisms for tracking and documenting security incidents. IR-4.1 Develop an incident-handling process for the organization. Does this have to be separate?

First is important to note that incident response, incident plan, and incident handling refer to different things:

• incident handling refers to the general steps to treat an incident (e.g., incident communication, incident classification, incident treatment, and incident closing)
• incident response refers to a response to a specific incident (e.g., in case of data loss the incident response is to recover the data from backup)
• incident plan refers to defining specific steps to be followed and resources to be used

Considering that, the Incident Management Procedure document covers incident handling, and in its section 3.4 (Treating Major Incidents) you can either define incident responses and their plans in the procedure or make reference to external documents covering the specific incident responses and related incident plans.

For further information, see:

• How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

3 - Offshore-48 Complete a security assessment of the organization's offshore location(s) and/or third party's offshore location(s) annually. Offshore-20 Requires antivirus software to be active and up to date on workstations.

I’m assuming that by Offshore-48 and Offshore-20 you mean different business units.

Considering that, you can have different plans for different business units, considering the results of risk assessment, but please note that since such plans are unique for each company, it is unfeasible to provide templates for such plans, so you will need to develop them by your own. In case you need support to develop such specific plans, you can schedule an online meeting with one of our experts in this link: https://advisera.com/27001academy/consultation/