Guest user Created: Jun 18, 2021 Last commented: Jun 23, 2021

Question about Scope of Work

We have started engaging with a company to help us to get ISO 27001 certificate and I am the project manager or the contact person and I am confused about the SOW, they want to do for all the *** and I believe that we have to start with the IT department. What do you think?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 18, 2021

Some information is missing for providing a direct answer, so I’ll provide one considering two possible scenarios.

The definition of the Scope of Work (SOW) of your ISO 27001 project will depend on the Information Security Management System (ISMS) scope, which basically defines where the information you want to protect is.

For small organizations (up to 50 employees) is more practical to include all organization in the scope, because the effort to keep a separation between the parts in and out od the scope is not worthy. In this case, the project’s SOW should be all organization.

In case your organization has more than 50 employees, you should evaluate if keeping only the IT department in the scope is worthy (you would have to treat all other departments like external parties, for which you need to implement controls to separate them from the ISMS scope, at the same time you need to provide access to information in the ISMS scope they need to operate). In this case, the project’s SOW should be defined according to the ISMS scope.

This problem is described in detail in this article:

Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Quote

0 0

Guest

Guest user Jun 21, 2021

One more question please, which are main departments should be involved in the risk assessment, or main risk owners

Quote

0 0

Expert

Rhand Leal Jun 23, 2021

All departments included in the ISMS scope need to be involved in the risk assessment.

Regarding risk owners, you should consider the roles with the most interest and authority to treat them. For example, in case you identify risks related to a server, you should consider as the risk owner the IT manager.

These articles will provide you a further explanation about risk assessment and risk owners:

ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

These materials will also help you regarding risk management:

The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 18, 2021

Jun 23, 2021

Expert Advice Community