LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Scope of the ISMS

  Quote
Guest
Guest user Created:   Jan 05, 2022 Last commented:   Jan 15, 2022

Scope of the ISMS

I have some questions about the definition of the scope of the ISMS. We're a small software company (less than 50 employees) and we both develop and provide software as SaaS. I understand that the scope should include the whole organization (office, employees, assets, etc.), as well as the processes we've implemented to develop and maintain our software. What is not clear to me is whether we should make explicit mention of these software products. Isn't it implicit that any application developed according to the practices laid out in the ISO 27001 standard is inherently compliant with it? A previously answered question states that "an application cannot be defined as an ISMS scope." [1] Most certificates I've seen simply state "software development", but some do mention their software solutions in the scope definition (e.g. MongoDB [2]). Does that ultimately make a difference in our ISMS or is it merely a question of public image and marketing?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 05, 2022

Please note that in the example you provided the software solutions are used as boundaries for the information that needs to be protected (in this case, the customer sensitive information), so the software solutions themselves are not part of the ISMS scope.

This approach affects the ISMS because, while this makes the scope smaller, it increases its complexity, because the organization needs to define how this scope is separated from other elements of its cloud environment.

As a physical analogy, you can think about a scope where only a department in the whole organization is part of the ISMS scope. This makes the scope smaller, but you need to define how this department will be separated from the other departments that are not part of the scope.

Quote
0 0
Paulo Jan 12, 2022

Hi Rhand,

You say:

so the software solutions themselves are not part of the ISMS scope.

I'm not entirely clear on your answer.

I would assume that the developed software solution should be part of the ISMS scope, if only because it represents an important, if not the most important asset of the organization (intellectual property) that needs appropriate controls to be protected from loss, corruption, breaches of confidentiality, etc.

So to my opinion it should be included in the scope. Am I correct?

 

 

Quote
0 0
Expert
Rhand Leal Jan 15, 2022

Please note that ISMS scope cannot be defined around a product - ISO 27001 scope is defined in terms of processes, information and/or location.

What you can include in the ISMS scope that will be related to the software solution is the software development and maintenance process (a secure process increases the likelihood of delivering a secure product), and the information related to the software source code (e.g., specification documentation, architecture blueprint, written code, etc.).

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 05, 2022

Jan 15, 2022

Suggested Topics