Here is how I scoped my ISMS.
The management of information security as it relates to Product Management, Engineering, Development, Software, Vendor Management, and Customer applications and data
The feedback from our auditor (during a pre-assessment) is that "The boundaries of the information security management system in terms of facilities/locations and personnel might be clarified. The determination of the boundaries within the scope is used to identify the interface of the system with other organizations, and where activities of the system are under *** full control and what security controls are addressed through other methods (agreements, supply management …) with other organizations."
Would he be looking for geographic limitations, such as in the U.S., or cloud assets, globally, etc.? I'm not entirely sure what is missing in my scope.
Any guidance/suggestions would be appreciated.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Your understanding is correct. By defining physical limitations in your scope it will be easier to identify how to properly protect the information. Please note that the scope statement is not wrong, it only can be improved by specifying locations.
Please note that the provided template for ISMS scope included in the toolkit cover all important elements for the scope definition. The comments included on it will guide you where to include the information about locations.
This article will provide you a further explanation about the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Your understanding is correct. By defining physical limitations in your scope it will be easier to identify how to properly protect the information. Please note that the scope statement is not wrong, it only can be improved by specifying locations.
Please note that the provided template for ISMS scope included in the toolkit cover all important elements for the scope definition. The comments included on it will guide you where to include the information about locations.
This article will provide you a further explanation about the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Comment as guest or Sign in
Jun 18, 2020