Expert Advice Community

Guest

Scope definition

  Quote
Guest
Guest user Created:   Sep 27, 2022 Last commented:   Sep 27, 2022

Scope definition

In your opinion if several registered entities with different natures of business (e.g., data operator, business optimisation consultancy, publication house, and a financial service provider) are part of a registered holding company, how do you determine the ISMS scope, would it pass an ISO audit if the holding company drafted an Acceptable Use Policy or Wi-Fi AUP with expectation of a "one size fits all" entities?

Or would each entity have to have a separate policy that aligns to the holding company's security objectives as far as it applicable to them on an individual basis?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 27, 2022

The ISMS scope should be determined considering the information you want to protect, not the relation between the entities of a holding company (this specific issue about entities involved in the certification needs to be aligned with your certification body).

Regarding policies, since the entities have different natures, it would be better to draft different policies, according to the specific risk profile of each entity, as well as other specific issues.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 27, 2022

Sep 27, 2022

Suggested Topics