Scope for ISO 27001
Our company is planning to go for ISO 27001 Certification this year. Our company is a SI and supporting, implementing enterprise-level cybersecurity projects to many sectors. As for the scope, we want to define our production network only, contains many critical system/security controls like Firewall, DNS, AD, and many more... Our boss want to say that company's production network is running with ISO 27001 standard. I wonder that that scope is acceptable or not by the auditor.
Assign topic to the user
The ISMS scope can cover all organization, or only specific locations, processes, or information.
The main point when considering this approach is the effort required to keep the ISMS scope separated from the rest of the organization's elements (for small and mid-sized organizations many times the effort is not worthy, and it is better to include all the organization in the ISMS scope)
These articles will provide you a further explanation about the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
Comment as guest or Sign in
May 05, 2020