Expert Advice Community

Guest

Scope question

  Quote
Guest
Guest user Created:   Jul 07, 2021 Last commented:   Jul 07, 2021

Scope question

We have one question about the ISMS scope: Our owner/parent company (XXXXX) is also our supplier for several IT services (e.g. network). They define rules and settings that automatically apply to us (in their role as owner). However in their role as supplier they would have to adhere to the standards we (subsidiary = YYYYY) set for them, correct? How should we formulate this in our ISMS Scope and how should we treat it in the SOA? And are there any recommendations regarding how such a relationship should be clearly formulated in an SLA?
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 07, 2021

1 - Our owner/parent company (***) is also our supplier for several IT services (e.g., network). They define rules and settings that automatically apply to us (in their role as owner). However, in their role as supplier they would have to adhere to the standards, we (subsidiary = ***) set for them, correct? How should we formulate this in our ISMS Scope and how should we treat it in the SOA?

Answer: Please note that this question about rules, settings, and standards does not apply to the definition of the ISMS scope.

In the definition of the scope, you only need to mention that your IT services are outsourced (you do not even need to identify the provider in the scope). The detailed information about the outsourcing situation is used when performing a risk assessment.

For further information about scope, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Regarding your scenario, as the owner/parent company, your “supplier” will have the last word in any setting you define regarding the provided services, so you need to agree with them if these settings are needed (based on the results of risk assessment and applicable legal requirements) and feasible. In this situation you have two possible scenarios:
- they agree with your settings and create specific rules for your organization.
- they do not agree with your settings, and you will need to evaluate the related risks to decide on another way to treat them.

2 - And are there any recommendations regarding how such a relationship should be clearly formulated in an SLA?

Answer: The fact that your owner/parent company is also your IT supplier does not affect the regular content a SLA should cover, so you need to define in your SLA items like service description, scope, performance supported, contacts, etc.

This article will provide you a further explanation about SLA:
- What’s the content of an ITIL/ISO 20000 SLA? https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jul 07, 2021

Jul 07, 2021

Suggested Topics

Guest user Created:   Oct 17, 2022 ISO 27001 & 22301
Replies: 1
0 0

Scope question

Guest user Created:   Feb 02, 2022 ISO 27001 & 22301
Replies: 1
0 1

Scope question

Guest user Created:   Mar 10, 2021 ISO 27001 & 22301
Replies: 1
0 0

27001 ISMS Scope Question