Scope definition

1 - Clauses 4.1 and 4.2, are they based on the organization as a whole, rather than the department in scope? It seems like even clause 4.1 & 2 is a huge task, and identifies things that aren’t covered by the IT department. It seems odd to identify these issues as an organization, only to not cover them as they aren’t covered by our scope.

Answer: Please note that for clauses 4.1 and 4.2 you need to consider the organization as a whole because if you consider only your intended scope in terms of the IT department, you may miss elements that may impact the organization’s purpose, intended Information Security Management System (ISMS) outcomes, and/or interested parties and their requirements, but are not directly related to your intended scope. 

For example, for a web store, the purpose can be selling products, the intended outcomes for the ISMS can be the protection of data related to buyers and products, and an interested party may sales department. In this context, if the web store’s sales department needs to keep part of buyers’ data out of IT systems for some reason (e.g., regulation or contract), and the IT department is not aware of this situation, the scope may be incorrectly defined (e.g., if you want to keep only the IT department in the ISMS scope, then you need to state that buyers’ data that exists out of IT systems are out of scope).

For further information, see:
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - Also, in terms of interested parties, would our students count? If so, would it be over the age of consent in GDRP terms of, or all ages?

Answer: This answer will depend on what you consider for the organization’s purpose and intended ISMS outcomes.

For example, if the organization’s purpose and intended ISMS outcomes are related to education or customer data, then students should be considered as interested parties. Regarding GDPR, because the related information can be considered PII, the information of students of all ages must be protected if you need to comply with GDPR. What will happen is that for students under the age of consent you will need to consider additional protections.

3 - Also, do you know if any schools or multi-academy trusts in the *** have achieved ISO27001? If not, are there any resources or information you could point me too that are focused on educational establishments that I could gain some guidance from?

Answer: We are not aware of specifics on certifications in this industry in the country you mentioned. From 2019 ISO Survey (https://www.iso.org/the-iso-survey.html and https://isotc.iso.org/livelink/livelink?func=ll&objId=21414015&objAction=Open&nexturl=%2Flivelink%2Flivelink%3Ffunc%3Dll%26objId%3D18808772%26objAction%3Dbrowse%26viewType%3D1) you can see the number of ISO 27001 certifications issued for this industry. To know about specifics, you need to contact the certification bodies in your country and ask for this information.

Some references you may find useful:
- https://www.gov.uk/government/publications/school-and-college-security/school-and-college-security
- https://www.beaming.co.uk/insights/cybersecurity-safeguarding-approach-schools/
- https://www.ncsc.gov.uk/information/resources-for-schools

4 - Finally, (apologies this may be oddly worded!) but as the IT department, does that just cover the processes/information used by them, or does it also mean the services/equipment the IT department provides for others to use? Such as require 2 factor authentication for staff in other departments to login to a service?

We’re also going to purchase the documentation and support pack with you, but our ordering process can take a little while, so just wanted to get these couple of questions out in advance!

Answer: Please note that you first need to consider if the protection of these services/equipment the IT department provides for others to use is relevant to your information security objectives. If so, you need to consider them as part of the scope of the IT department, because the implementation of controls will be focused only within the scope.

These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/