Scope definition
Our company has about 50 employees and we develop and manufacture a product with both software and hardware components.
Do we include in the scope document the back-office systems that are used for HR, Marketing, Sales, Finance (inc salaries), and CRM?
I would assume that our customers will not be interested in that but are rather focused on ISO 27001 referring to product-related-systems like R&D, Software development, Manufacturing. And also us protecting their medical information that might be stored on the device.
Assign topic to the user
For companies of your size, our recommendation is to include all the organization in the Information Security Management System (ISMS) scope (i.e., you need to include all the systems you listed in the scope) because the effort to separate what is and what is not part of the scope is not worth it.
For further information, see:
- All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material can also help you:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
Comment as guest or Sign in
Jun 20, 2023