SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Query on ISMS Scope

Guest

Query on ISMS Scope

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Sep 14, 2022 Last commented:   Sep 14, 2022

Query on ISMS Scope

ISO 27001 & 22301

I had a small query on the outlined ISMS scope in the organisational units. 

Can you check the attached image if it is correct for the organisational unit highlighted scope? 

  • I have added myself (IT security admin) and the Internal Audit Team. 
    • I will be leading the ISMS implementation while the Audit team will perform the internal audit of the ISMS implementation. 
  • With the location and network in scope and out of scope, 
    • Can we include all offices in scope as listed in the previous document as the outsourcing team will be working across Nepal offices?

As we cannot segregate office locations specifically for the outsourcing division, we will assess and implement ISO controls accordingly for the outsourcing team.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Sep 14, 2022

You only need to include the implementation project team (i.e., yourself and the internal audit team) in the ISMS scope in case once the implementation is finished the project team will remain to perform other activities related to the ISMS.

In your case, for example, since you are part of the IT Department, your role does not need to be explicitly included in the ISMS scope since the IT Department is in the ISMS scope. As for the Internal Audit Team, in case they will not perform the internal audit over the implemented ISMS, it does not need to be included in the ISMS scope.

Regarding the offices, you only need to include them in the scope in case you consider that the information in the offices that are outside the scope of the outsourced services needs to be protected (e.g., printed information stored in the offices). 

In case only information that is handed by the outsourced services is to be protected, then the offices do not need to be included in the scope.  

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Sep 14, 2022

Sep 14, 2022

Suggested Topics
Guest user Created:   Oct 05, 2020 ISO 27001 & 22301
Replies: 2
0 0

CFO exclusion from ISMS Scope
Guest user Created:   Jun 24, 2016 ISO 27001 & 22301
Replies: 4
0 0

Who owns the risk?