SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Questions about Stage 1, and Scope

  Quote
Guest
Guest user Created:   Feb 24, 2022 Last commented:   Feb 28, 2022

Questions about Stage 1, and Scope

Dear Dejan, We have already passed Stage 1 successfully with the recommendation from the auditor to move to Stage 2. Thank you very much for all your support and information!! Nevertheless, a little situation arose from the Stage and maybe you can give us some suggestions. In our company we develop and maintain Software and Hardware (we have a pull of 80 developers).  We defined our scope with the idea to include just process that support our development process: “The information systems that support the following services are part of the ISMS scope: o    Design, development. deployment, maintenance, and support of Software for localization devices for Industry, Automotive, Sports, and Personal protection o    Design, deployment, and support of Hardware of localization devices for Industry, Automotive, Sports, and Personal protection.” During the Stage 1 the auditor commented us that we should include all the developers within the scope, and thus include/raise the correspondent days and money. Or exclude the Development controls from the SoA and have a Scope like this without auditing the development: “The operation of information systems that support the following activities and services: o    Design, development. deployment, maintenance, and support of Software for localization devices for Industry, Automotive, Sports, and Personal protection o    Design, deployment, and support of Hardware of localization devices for Industry, Automotive, Sports, and Personal protection.” Does the inclusion of all the developers make sense to you? They work in different projects but basically work in the same way regarding the ISMS. We may have team leaders, developers, and working students but all categories work in the same way. What could we argument against this decision/suggestion? Thank you very much in advance
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 24, 2022

In case the total of employees in your company is less than 50, you should consider go with your original scope, because the effort to keep the minor scope separated from the rest of the organization wouldn’t be worthy.

In case your company has more than 50 employees, or you do not have a customer that requires your defined scope, then you should consider the narrow scope, because this will mean less resources and effort to maintain the ISMS.

Quote
0 0
Guest
jorge Feb 24, 2022

Hello Rhand,

 

It is the certification body who is insisting that if we want to include development in the scope, and the relevant SoA controls, then all the developpers must be included. In our opinion not all the developpers are relevant for the ISMS.  What can we argue against that vision? 

You mention to reduce the scope. We dont have a specific requirement from our customers regarding the scope or the development department, but we think that since we develop software it should be included. Why do you think that doesnt matter and that it is ok to reduce the scope?

 

Other questions, does really this little wording means so much in terms of who should be included in the scope?

 "The information systems that support " vs  "The operation of information systems that support"

 

Thank you very much for your help

Quote
0 0
Expert
Rhand Leal Feb 28, 2022

1 - It is the certification body who is insisting that if we want to include development in the scope, and the relevant SoA controls, then all the developpers must be included. In our opinion not all the developpers are relevant for the ISMS.  What can we argue against that vision? 

Please note that if all developers have access to the information you want to protect, then all developers need to be included in the scope (the point is not if they are relevant or not, but which information they can access). In case you can evidence that the developers you do not want to include in the scope cannot access the information you want to protect, then you do not need to include these developers in the ISMS scope.

2 - You mention to reduce the scope. We dont have a specific requirement from our customers regarding the scope or the development department, but we think that since we develop software it should be included. Why do you think that doesnt matter and that it is ok to reduce the scope?

Please note that it is not a question if we consider if it matters or not to keep the development in the scope (this decision is up to the organization according to its objectives and strategies). The situation is that the certification body is suggesting you make some adjustments, and we just provide informed alternatives for you to make a decision.

In our point of view, if you want to keep the development process in the scope, you need to make the adjustments suggested by the certification body (more details about the rationale are in the answer to question 1). If you understand the adjustments are not necessary, you need to reduce the ISMS scope, so these points are not questioned by the certification body anymore.

Please note that you can keep the information security practices for development regardless they are in the certification scope or not. Maybe after some time, you have more data to decide to include it in the scope.

3 - Other questions, does really this little wording means so much in terms of who should be included in the scope?

"The information systems that support" vs "The operation of information systems that support"

Please note that when you refer to "The information systems that support", all personnel who interacts with the information systems needs to be included in the scope (e.g., IT personnel, users, customers, etc.).

When you refer to "The operation of information systems that support", you limit the personnel who interacts with the information systems to the people who keep them running, i.e., the IT staff.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 24, 2022

Feb 28, 2022

Suggested Topics

Guest user Created:   Feb 07, 2018 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 implementation

Guest user Created:   May 21, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit questions