Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Question for ISMS ISO 27001

  Quote
Guest
Guest user Created:   Mar 20, 2021 Last commented:   Apr 29, 2021

Question for ISMS ISO 27001

We bought the Docu Kit and again I have a question about the ISMS.

The ISO 27001 standard requires that an information security policy be formulated and made known (5.2). The standard does not specify which scope (or area) of an organization the information security policy must cover. Is it possible that overall policies are valid for multiple areas (locations, sides) within an organization, whereas some policies are only valid within the specified scope of the ISMS?

An example:

Our company has several locations and the information security policy applies to all locations here in XXXX. However, the actual scope of the ISMS is only a subarea of a certain location. Therefore, can the information security policy be valid in its entirety while certain procedural instructions of the ISMS apply only for the ISMS scope? This would mean that there are documents in the ISMS with general validity and also documents that only apply to the ISMS.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 20, 2021

It is perfectly possible to have overall security policies covering all organization’s locations, not only the ones defined as the ISMS scope, and other policies specifically applicable only for the ISMS scope.

These articles will provide you a further explanation about defining the ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding ISMS scope:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0
Guest
Guest user Apr 28, 2021

I have another question about the ISMS. Each risk within the risk assessment process of the ISMS needs to have a dedicated risk owner.

Must the owner of a risk also mandatorily be within the workforce included or covered by the scope of the ISMS? Or can a risk owner also be outside the scope staff?

Example: The office location xyz is managed by a member of staff who is not in the actual scope of the ISMS. Nevertheless, this person is considered to be the risk owner for fire.

Quote
0 0
Expert
Rhand Leal Apr 29, 2021

First is important to note that risk does not need to have a dedicated risk owner. A risk owner can be responsible for multiple risks. I’m assuming you wanted to say that risk needs to have a single owner.

Regarding your question, ISO 27001 does not prescribe that risk owners need to be part of the ISMS scope, so this person can be someone from outside the scope, but you need to ensure that this person has approved management responsibility, accountability, and authority for managing the risk.

This article will provide you a further explanation about risk owners:

This material will also help you regarding risk management:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 20, 2021

Apr 29, 2021