Statement of Applicability/Annex A Documents
Assign topic to the user
Todd,
To answer your question, I'll quote a paragraph from our ISMS Scope template: "The organization needs to define the boundaries of its ISMS in order to decide which information it wants to protect. Such information will need to be protected no matter whether it is additionally stored, processed or transferred in or out of the ISMS scope. The fact that some information is available outside of the scope doesn't mean the security measures won't apply to it this only means that the responsibility for applying the security measures will be transferred to a third party who manages that information. "
The point is - you need to require your suppliers and partners to protect your information - and you need to determine these requirements through the risk assessment.
Comment as guest or Sign in
Jan 12, 2016