In the case of a group of three companies (A, B, C), company A is to be certified. All three companies have their own, independent customers and suppliers. The servers and network components of all three companies are located in the data center of company A. How must the SCOPE of company A be described if the servers and network components of companies B and C are NOT to be part of the certification?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
In this scenario, you can simply state in the ISMS scope document, section 3.4 Exclusions of the scope, that servers and networks related to companies B and C are not part of the ISMS scope.
You can access the ISMS scope for editing by clicking on the “Compliance” link in the left-side panel and then “Implementation steps.” From there, you can access the step related to the ISMS document scope and edit it.
For further information, see all you need to know about setting the ISO 27001 scope.
This tool for defining the ISO 27001 ISMS scope can also help you.
Comment as guest or Sign in
Sep 18, 2023