Policy Applicability Questions
Assign topic to the user
If you have outsourced your IT infrastructure to an external provider (external data center providing hosting services), you cannot manage controls related to their physical perimeter, so in this case you must identify all risks related to their service and include security clauses in the agreement with that provider. However, you can control assets that you directly manage: data, applications, virtual servers, etc. so there you will apply appropriate security controls.
So, basically all IT infrastructure provided by an external company (physical servers, etc.) should be out of the scope of your ISMS, and all assets that you can manage (virtual servers, web servers, applications, etc) should be included in the scope.
I think that this article can be useful for you “6-step process for handling supplier security according to ISO 27001” : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
And also this one “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/ 27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
And also this one “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Finally, our online course can be also interesting for you because we give more information about the security controls of the Annex A of ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jun 06, 2016