Expert Advice Community

Guest

Scope definition

  Quote
Guest
Guest user Created:   Jul 17, 2021 Last commented:   Jul 17, 2021

Scope definition

Hi Dejan, thank you for the Webex on Defining the Scope yesterday.  It was very informative.

I raised a question about defining the Scope if you are an MSP / the Cloud and Infrastructure is shared and you said you would ask your team and get back to me. To summarise, I’ve tried to explain the question a bit clearer below.

We established customers are interested parties in the ISMS.  I understand that.  My question is; if you then share the underlying infrastructure for example; a physical server that is running a virtual machine that the MSP owns, and a virtual machine of the customer.  The MSP has a responsibility to the customer as defined in the contract to keep the virtual machine available that resides on that physical server.  Then as far as the MSP is concerned with regards to ISO 27001 the physical server will be within scope as it is MSP owned along with the virtual machine that resides on the physical host because it is MSP owned.

This means the MSP has a physical host and a virtual machine that is in scope but the virtual machine that belongs to the customer is out of scope since it is only the MSP and not the customer that is looking for certification.  In addition the MSP can’t be responsible for certifying all its customers.  So how do you define the Scope in this situation?  The customer virtual machine and MSP virtual machine on the same physical host are separated logically.   

I’ve also been looking at your Conformio product.  The problem we have is given the nature of our business MSP / ISP; I think we would need some additional support more so than just email.  Some one that understands our business and who we can speak to to ask questions.  A combination between Consultant and your product.  Do you offer anything like this?  Would there be an opportunity to work something out with Advisera to achieve this that meets our needs?

Thank you

P.S: I found your book Secure and Simple along with your website very helpful and well written.  So thank you for that.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 17, 2021

1 - We established customers are interested parties in the ISMS.  I understand that.  My question is: if you then share the underlying infrastructure, for example a physical server that is running a virtual machine that the MSP owns, and a virtual machine of the customer.  The MSP has a responsibility to the customer as defined in the contract to keep the virtual machine available that resides on that physical server.  Then as far as the MSP is concerned with regards to ISO 27001 the physical server will be within scope as it is MSP owned along with the virtual machine that resides on the physical host because it is MSP owned.

This means the MSP has a physical host and a virtual machine that is in scope but the virtual machine that belongs to the customer is out of scope since it is only the MSP and not the customer that is looking for certification.  In addition, the MSP can’t be responsible for certifying all its customers.  So how do you define the Scope in this situation?  The customer virtual machine and MSP virtual machine on the same physical host are separated logically.   

Answer:  In the scope, you need to state just that: that your scope covers your physical environment and the virtual environment controlled by the organization, and that virtual machines not controlled by the organization are not part of the scope. Additionally, you should inform how the VM that is no controlled by you are separated from your virtual environment.  

To see how an ISMS scope document compliant with ISO 27001 looks like, please access this free demo: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

For further information, see:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

2 - I’ve also been looking at your Conformio product. The problem we have is given the nature of our business MSP / ISP; I think we would need some additional support more so than just email.  Some one that understands our business and who we can speak to ask questions. A combination between Consultant and your product.  Do you offer anything like this?  Would there be an opportunity to work something out with Advisera to achieve this that meets our needs?

Thank you

P.S: I found your book Secure and Simple along with your website very helpful and well written. So thank you for that.

Answer: We provide one-on-one consultations with an expert who will help clarify any questions related to the implementation of ISO 27001 - this is not consulting, but through these consultations we transfer the know-how to our clients.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 16, 2021

Jul 16, 2021

Suggested Topics

Guest user Created:   Mar 13, 2021 ISO 27001 & 22301
Replies: 1
0 0

Scope definition