Answer: In principle any process and/or organizational unit can be excluded from the ISMS scope, but sometimes the effort to implement such segregation is not worthy (e.g., the organization is too small or the process/organizational unit has many relations with elements included in the scope), so your organization should evaluate this situation first before deciding to include or not the purchasing in the scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://adv isera.com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Oct 27, 2017