Scope definition

We have yet to start on anything yet.

Let describe the situation.

- Our company was awarded a concession contract by the government to build a system (operate and maintain for 10 years).
- A subsidiary was set-up to design and built this system for the government.
- The Info security and IT business continuity design must comply to ISO 27001/27002 and 22301 requirements.
- It is a greenfield project (it will replaced all together the old system and infrastructure)

Questions:

1 - We would like to start in defining the scope of ISMS – As it involve the customer sites (the government agency and its branches), and also development (at new subsidiary) and the operations (a command center, DC & DR) at customer sites – how do we scope this ISMS implementation?

Answer: An ISO 27001 ISMS scope can be defined in terms of locations, processes or business units, so, considering the information you provided, you may define the ISMS scope in terms of customer and subsidiary locations, and the business and supporting processes and infrastructure related to the information system you have to operate and maintain, as well as the related development and maintenance processes. For example:

"The ISMS scope comprises the process XYZ performed by the information system ABC, and its related infrastructure, which is operated and accessed from the following locations: customer site address 01, ..., customer site address n.

Also comprises the ISMS scope the information system development and maintenance processes performed at subsidiary site address."

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2 - How do we conduct the risk assessment – there is no (infrastructure) assets (it is a greenfield project) for us to identify. Asset based risk assessment will be a bit difficult to implement. Can you advise and point to the right resources for scenario based RA or other risk assessment methodology that is suitable. The context of risk assessment should cover the company (who develop the system) and also the government agency (where the system will be in operation).

Answer: Since you are working with a greenfield project, first you should identify the requirements, assumptions and constrains for this system, its related IT infrastructure, and the locations where the system will operate, so you can devise how this implementation should be performed (as in all project, you have to identify the deliverables in order to know what you have to build and how).

After that you can create a scenario on which the system will operate and then you can identify the elements you should consider in your risk assessment. For example, in one site you can identify that you may have an average of 1000 simultaneous accesses and that it is in a highly populated area subject to storms and floods. This information will give you an idea about the systems requirements (either for software and infrastructure).

You also should consider information from the current system (e.g., configurations, schemes, incident history) so you can have an idea of what this new system should have and what it should avoid.

Considering this approach, you can use the asset based methodology to perform your risk assessment.

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/