Expert Advice Community

Guest

Scope definition

  Quote
Guest
Guest user Created:   Dec 17, 2020 Last commented:   Dec 21, 2020

Scope definition

In my Company, we want to establish iso27001 on Whole Organization. We Develop, Establish, and support ERP Solutions. ERP use some web service (Micro Service or API) from some third parties which some of them have licenses and others is free. Is Web Service effect on ISMS Scope?

also, Should we consider the risks of using the API in the risk assessment Process (like Access Control, Malware Analysis, Monitoring, ...)?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 17, 2020

1 - In my Company, we want to establish iso27001 on Whole Organization. We Develop, Establish, and support ERP Solutions. ERP use some web service (Micro Service or API) from some third parties which some of them have licenses and others is free. Is Web Service effect on ISMS Scope?


Answer: First is important to note that ERP solutions are services, and they are not certifiable by ISO 27001. In this case, you need to consider for the ISMS scope the process to develop, establish, and support them.

As one of the elements of the ERP solution, you do not need to include the Web Service as part of the scope, you only need to define that your process to develop, establish, and support ERP solutions uses third-party services. This information in the ISMS scope will be important to guide the risk assessment and treatment process.

These articles will provide you a further explanation about scope definition:

- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/


2 - Also, should we consider the risks of using the API in the risk assessment Process (like Access Control, Malware Analysis, Monitoring, ...)?

Answer: Since the ISMS scope will be the whole organization, then you need to consider the risks of using the API in the risk assessment process, related to the process to develop, establish, and support ERP solutions.

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/

Quote
0 1
Guest
tabatabaee Dec 21, 2020

Hello Rhand Leal

Thank you for your reply.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 17, 2020

Dec 21, 2020

Suggested Topics

Guest user Created:   Jul 17, 2021 ISO 27001 & 22301
Replies: 1
0 0

Scope definition

Guest user Created:   Mar 13, 2021 ISO 27001 & 22301
Replies: 1
0 0

Scope definition