ISMS Scope Document

VERSION 1.0
RELEASE DATE: 10 JANUARY 2022
Document Number: SURAJ_IT_20

SURAJ FINVEST PVT. LTD

1
Document Details
Signatures with Date

Title ISMS Scope Document

Version 1.0

Classification Internal

Release Date 10 January 2022

This document defines the scope

Description of the ISMS implementation at
Suraj Finvest Pvt. Ltd

Review Date 04 January 2022

Author VP Technology

Reviewer/
Custodian
Consulting CISO

10 January 2022
Approved By Information Security Council (ISC)

Owner VP Technology

Distribution List
Name

Internal Distribution Only

2
Version History
Version Revision Reviewer/ Approver Name Brief Description
Date Custodian of Amendments
Name
1.1

1.2

1.3

1.4

1.5

Table of Contents
S. No. Content Page

1. Scope 4

2. Introduction 4

2.1 Company Profile 4

2.2 Key Business Assets 4

3. Suraj’s Approach to Information Security Management 5

4. Scope Definition Process 7

4.1 Business Understanding 7

5. Scope of ISMS 8-9

3
1 Scope
As per RBI’s Cyber Security and Cyber Resilience Framework for NBFCs, this document
presents the details of the scope of Information Security Management System (ISMS)
defined for Suraj Finvest Pvt. Ltd (referred to as Suraj/Company).

2 Introduction
2.1 Company Profile
Suraj Finvest Pvt. Ltd (hereafter referred as Suraj), is in the process of getting
registered as NBFC-CIC-NDSI with Reserve Bank of India and mainly into the
business of investments and providing loans to its group companies..

2.2 Key Business Assets

As part of its core business processes, Suraj Finvest Pvt. Ltd. handles large
volumes of data including customer and employee data. Handling of
information and data is in many forms, and includes storing, processing,
transmitting, etc. Suraj Finvest Pvt. Ltd. has also developed and implemented
various software applications for provisioning services to clients.

As the custodian of a large volume of information that is sensitive from

commercial, personal or business perspective, Suraj Finvest Pvt. Ltd. has a
fundamental responsibility to protect that information from unauthorized or
accidental modification, loss or release. Furthermore, trustworthy and reliable
information must be available to undertake and conduct Suraj’s day to- day
business.

Specifically, information plays a vital role in core business processes and

customer service, in contributing to operational and strategic business decisions,
and in conforming to legal and statutory requirements. Accordingly, information
must be protected to a level commensurate with its value to the organization.

3 Suraj’s Approach to information security management

People, process, and technology are critical to Suraj for the conduct of their
activities. By developing, documenting, implementing and maintaining an
Information Security Management System (ISMS) based on the RBI’s Cyber
Security and Cyber Resilience Framework for NBFCs, Suraj will have greater
confidence in its personnel and the information security framework, and offer
better assurance to its customers.

Suraj has adopted a structured phased approach to information security risk

management. The approach can be broadly classified into three distinct phases:

4
• Preparation of ISMS documentation (inclusive of all relevant records) in order to apply
for certification;
• Implementation of the ISMS; and
• Certification process.

The various stages of the preparatory phase and the implementation of the ISMS are
depicted below in Figure 1:

Figure 1: Readiness and implementation approach

4 Scope Definition Process

The scope of the Information Security Management System (ISMS) has been
established based on discussions with IT Head and Concerned Suraj’s Management.
Suraj is in the process of getting registered as NBFC-CIC-NDSI with Reserve Bank of
India and mainly into the business of investments and providing loans to it's group
companies. The Scope is to protect the financial information, processes defined for
loan disbursement and payment processes of Suraj, along with the employees, by
providing the Cyber Security Awareness.

5
 The above scope is to guide Suraj as an Organization for complying with various laws
and regulations applicable on them, like The IT Act 2000, ISO 27001, RBI’s Cyber
Security and Cyber Resilience Framework for NBFCs, etc

4.1 Business Understanding

Prior to finalizing the scope of the ISMS, discussions were held with the
departments to obtain the following details:
• Information on the business activities;
• Key personnel; and
• IT infrastructure and processing environment that supports the business activities. The
information obtained during the first level of discussions with all the departments has
been summarized below:

Department Inputs for scope definition

Information Technology The department is responsible for the following main functions:
• Managing and maintaining the IT infrastructure of Suraj;
• Maintaining applications that are being used by various
business functions;
• Provide the users with continuous technical and system
support; and
• IT Resource Planning and upgrading.
Personnel The department is responsible for the following main
functions:
• Recruitment;
• Performance Management System;
• Compensation management; and
• Exit process.
Admin/ Security The various functions of the Admin/ Security department are
as follows:
• Administration activities;
• Physical Security Administration;
• Maintenance of services and utilities; and
• Logistics.
Contracts The various functions of the Contracts department
are as follows:
• Preparation of contracts with Third Party Service
Providers; and
• Management of contractual Issues.

6
5. Scope of ISMS
Location The facilities of SURAJ located at Kolkata in India are covered under
the scope for this ISMS:
 Suraj Finvest Pvt. Ltd.; Emami Tower, 687, Anandapur EM
Bypass Ruby, Kolkata, West Bengal - 700107
Personnel All employees of IT department of SURAJ located at the above
facilities.
In addition, third party vendors working for IT department on the
company premises are also covered under the scope of the ISMS.
These include:
• Physical security staff;
• Housekeeping staff;
• External consultants in the Facilities department;
• Contract personnel; and
• Third party IT vendors.
Physical Assets All Physical assets, which are in use by SURAJ for IT operations at
the above, mentioned location.
Physical assets of SURAJ are like the following:
• Servers;
• Workstations;
• Backup devices;
• Network and communication equipment;
• CD’s and backup tapes;
• Communication links;
• Contracts;
• Master Service Agreements (MSA); and
• Printed/Blank documents.
Software
The following are the software assets of SURAJ:
Key application systems:
 OS Windows 10
 Office 2016 Pro Plus Software
 Centralised Patch management System for managing
the patches of the software
 Tally
Other software like:
• Server & Desktop Operating Systems;
• Network Management Systems; and
• Firewall, Intrusion Detection and other security related
systems

7
Information Assets

Information assets, both in electronic media and paper that are in

use by Suraj are considered in the scope of the ISMS.
The electronic information assets are like the following:
• Databases and data files for all projects;
• Project and process related artifacts;
• Accounting information;
• Payroll processing records;
• MIS reports;
• Budget information;
• Employee information database;
• Electronic documents maintained by each department; and
• Operational policies and procedures in electronic format.

The paper assets of SURAJ are like the following:

• Contractual documents;
• Master Service Agreements (MSA);
• Statutory records;
• Access log registers; and
• Policy/procedure documents in hard copies.
Services Services supporting the computing infrastructure and work
environment of Suraj such as power supplies, air conditioning, UPS
etc.
Scope limitation The scope does not include
• Any other department of SURAJ

• Any SURAJ employee located at any other

locations