Scribd Logo
Upload

Welcome to Scribd!

  • 174 views

    How To Set The ISMS Scope

    Uploaded by

    Domijones Manalo
    How to set the ISMS scope - Advisera

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    How To Set The ISMS Scope

    Uploaded by

    Domijones Manalo
    174 views15 pages
    How to set the ISMS scope - Advisera

    Original Title

    How to set the ISMS scope

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    How to set the ISMS scope - Advisera

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    174 views15 pages

    How To Set The ISMS Scope

    Uploaded by

    Domijones Manalo
    How to set the ISMS scope - Advisera

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 15

    How to set the ISMS scope

    according to ISO 27001

    Presenter: Dejan Kosutic


    How to set the scope for your Information
    Security Management System

    If you’re planning to start your ISO 27001


    implementation…

    … one of the first big dilemmas you’ll face


    is the scope
    ©2021 27001Academy www.advisera.com/27001academy 2
    Setting the scope right will make
    your life much easier

    ©2021 27001Academy www.advisera.com/27001academy 3


    Agenda

    • Where is the scope defined?


    • How should the scope be defined?
    • How big should the scope be?
    • Scope if servers are in the cloud
    • Dependencies and interfaces
    • External and internal issues
    • How to document the scope
    • Biggest challenges with setting the ISMS
    scope

    ©2021 27001Academy www.advisera.com/27001academy 4


    Where is the scope defined?

    • 1) In the ISMS Scope document (detailed


    description)
    • 2) In the ISO 27001 certificate (one
    sentence)

    ©2021 27001Academy www.advisera.com/27001academy 5


    How should the scope be defined?

    Acceptable:
    • Processes
    • Departments
    • Locations
    • Exclusions

    Not acceptable:
    • Products
    • Technology
    • Security domains / controls from Annex A
    ©2021 27001Academy www.advisera.com/27001academy 6
    How big should the scope be?

    • Smaller companies: go for the whole


    company
    • Larger companies: go for only one part of
    your company
    • Beware of departments left out of the scope
    • Most important: think where your most
    sensitive information is

    ©2021 27001Academy www.advisera.com/27001academy 7


    Scope if servers are in the cloud

    Technical solution Include in the scope


    Own physical servers on a Hardware, software, and
    third-party infrastructure data
    Virtual servers in a third- Software and data
    party computing
    infrastructure (public IaaS)
    Using third-party platform Data and all application
    (public PaaS) software
    Using third-party Software- Data
    as-a-Service (public SaaS)
    ©2021 27001Academy www.advisera.com/27001academy 8
    Dependencies and interfaces

    ©2021 27001Academy www.advisera.com/27001academy 9


    External and internal issues

    Examples of internal issues:


    • Organizational structure
    • Values, mission, vision
    • Resources
    • Contractual relationships
    Examples of external issues:
    • Market and customer trends
    • Needs of interested parties
    • Technological trends
    • Laws and regulations
    ©2021 27001Academy www.advisera.com/27001academy 10
    How to document the scope

    Mandatory:
    • Processes
    • Locations
    • Organizational units

    Not mandatory:
    • Internal and external issues
    • Dependencies and interfaces
    • List of assets
    ©2021 27001Academy www.advisera.com/27001academy 11
    Biggest challenges with setting the
    ISMS scope

    • Defining the ISMS scope for a business process


    or service that is hosted in the cloud
    • Understanding and identifying all the interfaces
    between departments to determine the scope
    • How best to define scope when the company is
    multinational with offices around the globe
    • Interference from our QA department who are
    demanding ISO27001 documentation sits under
    their clinical document QMS
    • Cost vs benefit when deciding on the scope size

    ©2021 27001Academy www.advisera.com/27001academy 12


    Conclusion

    Do not focus your scope on your IT


    only – focus on where your most
    sensitive information is

    ©2021 27001Academy www.advisera.com/27001academy 13


    Q&A

    Dejan Kosutic
    Thank you!
    www.advisera.com/27001academy/webinars

    You might also like