Question about ISMS

Please note that ISO 27001 does not require the interfaces and dependencies to be documented (only to be considered when defining the scope), so documenting them in the scope only would create additional information to be managed without need.

In case you have other situations where documentation of interfaces and dependencies may be required, the way to document them should be considered on a case-by-case basis (e.g., network interfaces and dependencies are better described in a network diagram, interfaces and dependencies with suppliers in SLA's, HR’s activities interfaces and dependencies on process workflows, etc.).

This article will provide you a further explanation about examples of interface and dependencies:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

These materials will also help you regarding examples of interface and dependencies:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Is the scope of an ISO 27001 certification rigid and not very changeable over the entire certification period of 3 years? What happens to the validity of the certification if the scope expands and, for example, new locations or new products should be included in the scope? Is the scope somehow extendable to a certain extent and will it be adjusted from the auditing party during the annual review?

Example:

The following scope was defined for the certification of ISO 27001:

The scope of the ISMS covers the operation of product A at site X.

In the first year after certification, the scope should change to:

The scope of the ISMS covers the development and operation of product A and B at site X and Y.

In fact, changes in the ISMS scope are quite a common business and your organization can perform changes in the ISMS scope at any moment during the certification period. The scope can be expanded or reduced according to the organization's needs.

A change in the ISMS scope is something expected during a certification life cycle and this situation does not make it invalid, provided that the new scope still fulfills all requirements of the standard. Considering that, after defining the new scope, you need to evaluate the impacts of the change and make proper adjustments in the ISMS (e.g., risk assessment, risk treatment, SoA, etc.).

Regarding the certification body, you need to communicate it about the change in the scope, so it can verify if any adjustment in the planned surveillance audits is necessary (e.g., if only minor adjustments in the current schedule are enough, or if additional days are required).

These articles will provide you a further explanation about the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will provide you a further explanation about the scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/