Expert Advice Community

Guest

Policy Applicability Questions

  Quote
Guest
sujansuresh Created:   Jun 03, 2016 Last commented:   Jun 06, 2016

Policy Applicability Questions

If an organization is having its physical data center at another location with a private hosting group. In this case, do the controls for physical perimeter security and data center security would come into play? kindly share the justification as well.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
Antonio Jose Segovia Jun 06, 2016
If you have outsourced your IT infrastructure to an external provider (external data center providing hosting services), you cannot manage controls related to their physical perimeter, so in this case you must identify all risks related to their service and include security clauses in the agreement with that provider. However, you can control assets that you directly manage: data, applications, virtual servers, etc. so there you will apply appropriate security controls.

So, basically all IT infrastructure provided by an external company (physical servers, etc.) should be out of the scope of your ISMS, and all assets that you can manage (virtual servers, web servers, applications, etc) should be included in the scope.

I think that this article can be useful for you “6-step process for handling supplier security according to ISO 27001” : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

And also this one “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/ 27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

And also this one “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

Finally, our online course can be also interesting for you because we give more information about the security controls of the Annex A of ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 03, 2016

Jun 06, 2016

Suggested Topics