Register of Requirements and scope
We like to have the development and QA departments of *** certified. But we like to include the hosting of our cloud service (which is done by our holding company) in all the documents already now. We have been advised to do so because we like to keep the scope small for the initial certification but extend it later. I'm now working at the Register of Requirements. How can I make transparent which requirements are for Dev/QA of *** and which are for the holding (in other words, what is in the certification scope and what's for later)?
Assign topic to the user
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now 
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now
ISO 27001 ISMS SCOPE DOCUMENT
Define the boundaries of ISMS for ISO 27001.
Get it now
To identify in the register of requirements module which requirements would be applicable to the cloud service host, in the field “To what area is this requirement related?” you need to select the option “Managing security with suppliers and partners”. Additionally, you can write this information in the description field, together with the description of the requirement.
This way, it would be clear that the requirement is applicable to the cloud host.
Please note that when you define that something is in the scope, you can only “let it for later” if you accept all risks related to that element in the scope.
Comment as guest or Sign in
Sep 01, 2023