Scope definition
In your opinion if several registered entities with different natures of business (e.g., data operator, business optimisation consultancy, publication house, and a financial service provider) are part of a registered holding company, how do you determine the ISMS scope, would it pass an ISO audit if the holding company drafted an Acceptable Use Policy or Wi-Fi AUP with expectation of a "one size fits all" entities?
Or would each entity have to have a separate policy that aligns to the holding company's security objectives as far as it applicable to them on an individual basis?
Assign topic to the user
The ISMS scope should be determined considering the information you want to protect, not the relation between the entities of a holding company (this specific issue about entities involved in the certification needs to be aligned with your certification body).
Regarding policies, since the entities have different natures, it would be better to draft different policies, according to the specific risk profile of each entity, as well as other specific issues.
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Comment as guest or Sign in
Sep 27, 2022