Scribd
Upload
194 views

How To Set The ISMS Scope

How to set the ISMS scope - Advisera

Uploaded by

Domijones Manalo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
194 views

How To Set The ISMS Scope

How to set the ISMS scope - Advisera

Uploaded by

Domijones Manalo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

How to set the ISMS scope

according to ISO 27001

Presenter: Dejan Kosutic


How to set the scope for your Information
Security Management System

If you’re planning to start your ISO 27001


implementation…

… one of the first big dilemmas you’ll face


is the scope
©2021 27001Academy www.advisera.com/27001academy 2
Setting the scope right will make
your life much easier

©2021 27001Academy www.advisera.com/27001academy 3


Agenda

• Where is the scope defined?


• How should the scope be defined?
• How big should the scope be?
• Scope if servers are in the cloud
• Dependencies and interfaces
• External and internal issues
• How to document the scope
• Biggest challenges with setting the ISMS
scope

©2021 27001Academy www.advisera.com/27001academy 4


Where is the scope defined?

• 1) In the ISMS Scope document (detailed


description)
• 2) In the ISO 27001 certificate (one
sentence)

©2021 27001Academy www.advisera.com/27001academy 5


How should the scope be defined?

Acceptable:
• Processes
• Departments
• Locations
• Exclusions

Not acceptable:
• Products
• Technology
• Security domains / controls from Annex A
©2021 27001Academy www.advisera.com/27001academy 6
How big should the scope be?

• Smaller companies: go for the whole


company
• Larger companies: go for only one part of
your company
• Beware of departments left out of the scope
• Most important: think where your most
sensitive information is

©2021 27001Academy www.advisera.com/27001academy 7


Scope if servers are in the cloud

Technical solution Include in the scope


Own physical servers on a Hardware, software, and
third-party infrastructure data
Virtual servers in a third- Software and data
party computing
infrastructure (public IaaS)
Using third-party platform Data and all application
(public PaaS) software
Using third-party Software- Data
as-a-Service (public SaaS)
©2021 27001Academy www.advisera.com/27001academy 8
Dependencies and interfaces

©2021 27001Academy www.advisera.com/27001academy 9


External and internal issues

Examples of internal issues:


• Organizational structure
• Values, mission, vision
• Resources
• Contractual relationships
Examples of external issues:
• Market and customer trends
• Needs of interested parties
• Technological trends
• Laws and regulations
©2021 27001Academy www.advisera.com/27001academy 10
How to document the scope

Mandatory:
• Processes
• Locations
• Organizational units

Not mandatory:
• Internal and external issues
• Dependencies and interfaces
• List of assets
©2021 27001Academy www.advisera.com/27001academy 11
Biggest challenges with setting the
ISMS scope

• Defining the ISMS scope for a business process


or service that is hosted in the cloud
• Understanding and identifying all the interfaces
between departments to determine the scope
• How best to define scope when the company is
multinational with offices around the globe
• Interference from our QA department who are
demanding ISO27001 documentation sits under
their clinical document QMS
• Cost vs benefit when deciding on the scope size

©2021 27001Academy www.advisera.com/27001academy 12


Conclusion

Do not focus your scope on your IT


only – focus on where your most
sensitive information is

©2021 27001Academy www.advisera.com/27001academy 13


Q&A

Dejan Kosutic
Thank you!
www.advisera.com/27001academy/webinars

You might also like