Scope question
I have a basic Scope question that I am trying to understand and thinking that you might be able to help me.
1 - What do we really mean when we say that something is Included in the ISMS scope? Does that mean that everything in the ISMS then need to be applicable to the organization, site and processes in the scope? Or if not, this needs to be described in the ISMS somewhere? (for example if we have a sales process and this sales process doesn’t applies to an office that we say is in scope then we need to document this in the ISMS?
2 - Could we exclude offices/departments from the ISMS because we don’t share the same Core processes if we at the same time share support processes (HR process and some IT processes for example) and steering processes?
Assign topic to the user
1 - What do we really mean when we say that something is Included in the ISMS scope? Does that mean that everything in the ISMS then needs to be applicable to the organization, site, and processes in the scope? Or if not, this needs to be described in the ISMS somewhere? (for example, if we have a sales process and this sales process doesn’t apply to an office that we say is in scope then we need to document this in the ISMS?
The meaning of something being included in the ISMS scope is that this thing is information, or something related to information, that the organization wants to protect.
For example, if customer information is in the ISMS scope, then it means that this information needs to be protected. In case a sales process is in the ISMS scope, it means that all kinds of information related to the sales process need to be protected.
In your example, in case the sales process is not related to any information you want to protect (those related to the office you mentioned), you do not need to include it in the ISMS scope (or you can explicitly state that the sales process is out of the ISMS scope).
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
2 - Could we exclude offices/departments from the ISMS because we don’t share the same Core processes if we at the same time share support processes (HR process and some IT processes for example) and steering processes?
Yes. The ISMS scope can be defined in terms of only part of the organization, but please note that for small organizations of up to 100 employees, it is better to define that all organization is part of the scope, because the effort to separate the elements that are in and out of the ISMS scope may not be worthy.
This article will provide you with further explanation about the scope definition:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Comment as guest or Sign in
Oct 17, 2022