I’m from a multi-academy trust which is made up of XXXX schools. We have over XXXX students and XXXX staff, so for our scope, we’re looking at the IT department, rather than the whole organisation.
However, the more I look at the this, the more confused I’m getting!
Clauses 4.1 and 4.2, are they based on the organisation as a whole, rather than the department in scope? It seems like even clause 4.1 & 2 is a huge task, and identifies things that aren’t covered by the IT department. It seems odd to identify these issues as an organisation, only to not cover them as they aren’t covered by our scope.
Also, in terms of interested parties, would our students count? If so, would it be over the age of consent in GDRP terms of, or all ages?
Also, do you know if any schools or multi-academy trusts in the UK have achieved ISO27001? If not, are there any resources or information you could point me too that are focused on educational establishments that I could gain some guidance from?
Finally, (apologies this may be oddly worded!) but as the IT department, does that just cover the processes/information used by them, or does it also mean the services/equipment the IT department provides for others to use? Such as require 2 factor authentication for staff in other departments to login to a service?
We’re also going to purchase the documentation and support pack with you, but our ordering process can take a little while, so just wanted to get these couple of questions out in advance!