ISO/IEC 27001 - Issue during implementation of system

Akinom

Registered
Hi All,

ISO/IEC 27001 topics are new for me.
I would like to ask you for support in below question.

As a requirement of our customer we are implementing ISO/IEC 27001 in part of our organization. We are working in customer's systems on his network (some kind of database). The assets we would like to protect are information to which we have access via this system and data which we save in this system (on line working). For protect these assets we implemented required by customer controls.

In addition, to implement ISO/IEC 27001 we are creating procedures, polices, records which will be maintain on our network.
Key process is supported by processes such as facility management process, quality and hr.

Here my question comes:
In this case, is there a possibility to exclude our IT?

Thank you in advance for all responses.
 

mihzago

Trusted Information Resource
what does your IT do? are they simply a help desk to assist your employees with computer issues or maintaining internal network that is completely separate from the customer, including data, documentation and interfaces? - then maybe, but if you're including HR and facilities management, then I don't know how you can justify excluding IT.

if your IT is involved in supporting or maintaining any resources (hardware, software, people) used for development or interface with the customer's system (for example you mentioned that you implemented controls required by the customer), then you definitely cannot exclude.
 

Akinom

Registered
In this case our IT is seperated from customer network.
All settings related to customer network were done by suppliers choosen by customer. All problems related with customer hardware, connection and base will be reported to customer's help desk.

ISMS documentation and records will be maintain in our base. To communication with customer we will use our e-mail accounts.
Facility management supports us in ACS and things related to buildings (like media, cleaning and security staff) .
HR - hiring employees and terminate of employment, training and maintaining personal files.
 
S

smohanarangan

Hi All,

ISO/IEC 27001 topics are new for me.
I would like to ask you for support in below question.

As a requirement of our customer we are implementing ISO/IEC 27001 in part of our organization. We are working in customer's systems on his network (some kind of database). The assets we would like to protect are information to which we have access via this system and data which we save in this system (on line working). For protect these assets we implemented required by customer controls.

In addition, to implement ISO/IEC 27001 we are creating procedures, polices, records which will be maintain on our network.
Key process is supported by processes such as facility management process, quality and hr.

Here my question comes:
In this case, is there a possibility to exclude our IT?

Thank you in advance for all responses.
I don't think we can exclude IT as most of control is for IT. You can include client dB as out-of-scope if it he being owned by client.
 
Top Bottom