Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Setting the ISMS scope for data center

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Setting the ISMS scope for data center

Since my ISO program is focus on one of our data centers, the data center was maintained by operation team, infra service was supported by Infra Team, also development team for application development
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 12, 2016

1. For a DC certification: do we need to identify all the applications / data on the servers?

Answer: Yes, if you specify they are part of your ISMS Scope. In some cases I've seen that the scope of data center was only the infrastructure, but they excluded the business data.

2. How to set up the boundary? We now have infra & operation team in scope, but not having the development team. Does it necessary to involve them?

Answer: The boundary is normally set with doors and walls for your facilities, and with routers and firewalls for your network. Whether or not you include your development team is really up to you - without having more detailed information I cannot give you advice on that.

3. For asset management, as virtualization is adopted, how do we categorize the virtual machine, in HW, SW, Data? Or separated category for th em?

Answer: Categorization is not required by ISO 27001, but I would always separate physical computers as an asset from software and from data - therefore, your server is really 3 different assets at the same time.

4. If 1 yes, how do we classify the data? Since many data is owned by different BU, it’s hard to find owner to identify its CIA level, do you have any suggestions.

Answer: If you handle the data of the "third party" (business side of your organization is third party here because they are out of the ISMS scope) then this third party has to set the rules for the classification.

Quote
0 0
Guest
Guest post Jan 12, 2016

For #2 it would seem that if the applications/programs (i.e. not just the infrastructure) are part of the scope then any personnel with privileged access to the application servers would be in scope - so maybe not the developers if they do not "push code" to the production servers. (For example, if the developers would develop & test in a different environment and your operations staff push the code to production servers then the developers might be out of scope).

It seems that if you have clearly defined your scope then the answer to your question would be immediately apparent.

Quote
0 0
Guest
DejanK Jan 12, 2016

Yes, in this situation (where there is a clear boundary) you could set the developers out of the ISMS scope.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016