Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Question about ISMS

  Quote
Guest
Guest user Created:   Feb 22, 2021 Last commented:   Feb 27, 2021

Question about ISMS

We have bought the toolkit (German version) and I have one question: 

Which parts and elements are needed within the documentation and description of interfaces and dependencies from “outside” services in connection with the scope of the ISMS. We have identified several interfaces to parties which are not directly included in the scope of the ISMS. For example:

  • Suppliers
  • HR
  • External software developing companies
  • Legal department
  • Data from external component manufactures needed for our product in the scope

So what is needed to describe these interfaces?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 22, 2021

Please note that ISO 27001 does not require the interfaces and dependencies to be documented (only to be considered when defining the scope), so documenting them in the scope only would create additional information to be managed without need.

In case you have other situations where documentation of interfaces and dependencies may be required, the way to document them should be considered on a case-by-case basis (e.g., network interfaces and dependencies are better described in a network diagram, interfaces and dependencies with suppliers in SLA's, HR’s activities interfaces and dependencies on process workflows, etc.).

This article will provide you a further explanation about examples of interface and dependencies:

These materials will also help you regarding examples of interface and dependencies:

Quote
0 1
Guest
Guest user Feb 25, 2021

Is the scope of an ISO 27001 certification rigid and not very changeable over the entire certification period of 3 years? What happens to the validity of the certification if the scope expands and, for example, new locations or new products should be included in the scope? Is the scope somehow extendable to a certain extent and will it be adjusted from the auditing party during the annual review?

Example:

The following scope was defined for the certification of ISO 27001:

The scope of the ISMS covers the operation of product A at site X.

In the first year after certification, the scope should change to:

The scope of the ISMS covers the development and operation of product A and B at site X and Y.

Quote
0 0
Expert
Rhand Leal Feb 27, 2021

In fact, changes in the ISMS scope are quite a common business and your organization can perform changes in the ISMS scope at any moment during the certification period. The scope can be expanded or reduced according to the organization's needs.

A change in the ISMS scope is something expected during a certification life cycle and this situation does not make it invalid, provided that the new scope still fulfills all requirements of the standard. Considering that, after defining the new scope, you need to evaluate the impacts of the change and make proper adjustments in the ISMS (e.g., risk assessment, risk treatment, SoA, etc.).

Regarding the certification body, you need to communicate it about the change in the scope, so it can verify if any adjustment in the planned surveillance audits is necessary (e.g., if only minor adjustments in the current schedule are enough, or if additional days are required).

These articles will provide you a further explanation about the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will provide you a further explanation about the scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 22, 2021

Feb 27, 2021

Suggested Topics

Guest user Created:   Mar 01, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISMS question about scope

Rena Created:   Sep 15, 2021 ISO 27001 & 22301
Replies: 1
0 0

Conformio ISO Documentation