Problems with very narrow ISMS scope
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The company is divided into 2 main parts, the computer operations centre and the rest of the company. If the scope of the ISO27001 project was going to be for the Security operations Centre (SOC) exclusively then am i correct in stating that any dependencies that the SOC has on IT for example server infrastructure in the company domain would result in the company data centre having to to be included into the scope?
Answer: I'm not really sure if it makes sense to include only your SOC in the ISMS scope, but this is theoretically possible. In a case of such a narrow scope, the main thing is to make sure you have interfaces to the "outside world" - in your case this outside world would be the rest of the company. So if you include server infrastructure in the scope, it would be extremely difficult to create an interface towards other users in your company - therefore, it is better to exclude the server infrastructure from such scope.
If we put the AD and in fra structure the SOC needs into a DMZ that is shared by the SOC and company, than how does that effect the scope for the 27001 implementation?
Answer: Basically, the logic is the same as described above - probably the best idea is to keep the AD outside of the scope. Of course, this opens the question what would be included in the scope then? Which leaves us with the conclusion that such a small scope doesn't make much sense.
Also, if the scope is set to be exclusively for the SOC, than it can be extended to the rest of the company right? or is it best to have 2 separate isms's one for comapny and one for SOC?
Answer: Yes, your scope can be extended to other parts of the company; it is a very bad idea to have two separate ISMS's in a company.
See also these articles:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
This book will also help you with setting the scope: Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Comment as guest or Sign in
Sep 24, 2016