Defining Security Interfaces for Scope for ISMS - Need help

N

ndabbot

#1
Hi,
I am currently in a process of defining scope for ISMS. We are covering only IT department within our organisation. I have downloaded ISO27K toolkit with scope samples and have a problem with the following:
define security interfaces for information flows and processes that span or extend beyond the in-scope area to the remainder, since everything outside the scoped area is relatively untrustworthy

Can anybody point me to some examples of how to correctly define such interfaces?
 
Elsmar Forum Sponsor
K

keres

#2
By my opinion doesn't have any sense if it is not covered the entire company. Not only one department.
 

Marc

Fully vaccinated are you?
Staff member
Admin
#3
Hi,
I am currently in a process of defining scope for ISMS. We are covering only IT department within our organisation. I have downloaded ISO27K toolkit with scope samples and have a problem with the following:
define security interfaces for information flows and processes that span or extend beyond the in-scope area to the remainder, since everything outside the scoped area is relatively untrustworthy

Can anybody point me to some examples of how to correctly define such interfaces?
I'm not sure what you mean by "...how to correctly define such interfaces...". I'm not an IT person and am not an ISO 27000 person. Hopefully someone in the field will help out with this one. I would like to see an example of a Scope Statement for ISO 27000 as well.

Personally, when ever I defined a Scope Statement for something (ISO 9001 or a project or what ever) I didn't specifically address inputs and outputs from other departments. Essentially I looked at them as suppliers and evaluated them as such. I would think in IT inputs from outside the scope would be evaluated for Risk and other relevant factors in the same way risks associated from the outputs to "customers" would be evaluated.

Supplier --> Inputs --> Process(es) --> Outputs --> Customer

My apologies for not being able to personally help with your specific information / help request. My Thanks in advance to anyone who can help by providing an example of a Scope Statement for ISO 27000 and/or can help with this one.
 

Richard Regalado

Trusted Information Resource
#4
Hi,
I am currently in a process of defining scope for ISMS. We are covering only IT department within our organisation. I have downloaded ISO27K toolkit with scope samples and have a problem with the following:
define security interfaces for information flows and processes that span or extend beyond the in-scope area to the remainder, since everything outside the scoped area is relatively untrustworthy

Can anybody point me to some examples of how to correctly define such interfaces?
Even though your scope is ONLY IT you cannot run away from the other interfacing business units of your organization.

Section A.8 which pertains to Human Resources Security includes such controls as hiring, terms and conditions of employment, background checks and others. Unless the afore-mentioned controls are being done by the IT department (your scope), your HR department is an interfacing business unit.

Section A.9 is Physical and Environmental Security and outlines the controls needed to preserve CIA at the physical level. Can IT perform physical security duties as well?

Section A.6 include a particular control called Authorization Process for New Information-processing facilities. Do you purchase your own IT equipment? I doubt. Then your procurement or purchasing business is an interfacing business unit.

I use Visio in defining the interfaces to my scope. Try it.

Oh and before I forget, do you have an offsite backup storage for your data? The provider for this service is an external interfacing entity.

p.s. You have to manage these interfaces within your ISMS.
 
#5
By my opinion doesn't have any sense if it is not covered the entire company. Not only one department.
The 'nice' thing about ISO 27001 is that it can be very specific to a particular scope ISMS doesn't actually have to apply to 'the whole' company, frankly! This is NOT like an ISO 9001 QMS!
 

Richard Regalado

Trusted Information Resource
#6
The 'nice' thing about ISO 27001 is that it can be very specific to a particular scope ISMS doesn't actually have to apply to 'the whole' company, frankly! This is NOT like an ISO 9001 QMS!
ISO 9001 can be implemented on a single business unit or a product line as well and not the whole company.
 
#7
ISO 9001 can be implemented on a single business unit or a product line as well and not the whole company.
That CAN be done. However, if you want to be certified, with a credible certificate, then it's highly unlikely that would work! Indeed, ISO/TS 16949 certification doesn't allow for 'ring fencing'!
 
N

ndabbot

#8
Hi, thanks for your inputs. My research shows that scope is actually a different thing from what has been explained during Lead Implementer course. Could anybody point me to correct thread on how to work out scope document with possible examples on how actual document looks like?
 
#9
Hi, thanks for your inputs. My research shows that scope is actually a different thing from what has been explained during Lead Implementer course. Could anybody point me to correct thread on how to work out scope document with possible examples on how actual document looks like?
Let me take a look for you. My company has registered a number of organizations to ISO 27000, so I'll take a look for some actual scope statements. "Please wait, while I put you on hold..."
 
#10
Scopes may be worded along these lines:

"Secure Repository environment for monitoring, measuring and directing the security of client marketing information"

"The design and development of software, services, and solutions, for wireless messaging, navigation and location technologies. The design, development integration, and installation of hardware and maintenance services for satellite communication services."

"Post Production Division: Provides Information Security Direction, Control, and Governance to the XXXX Client Content Environment In accordance with the XXXX, Inc. Statement of Applicability version N dated, AA/BB/ZZZ"
 
Thread starter Similar threads Forum Replies Date
K Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 14
A Defining a lower ESD test level in IEC 60601 safety test IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
J Defining staff competence - Small mechanical workshop Occupational Health & Safety Management Standards 20
D Question regarding ECO process, specifically for Life Science products and defining form fit and function ISO 13485:2016 - Medical Device Quality Management Systems 1
T Defining sampling plan for different AQL AQL - Acceptable Quality Level 3
M Defining frequency of measurement tools callibration Calibration and Metrology Software and Hardware 3
M Defining and Documenting Record Retention CE Marking (Conformité Européene) / CB Scheme 5
G Defining performance metrics for DFMA implementation Design and Development of Products and Processes 2
S Defining a Quality System from scratch - Preferred system and documentation names Document Control Systems, Procedures, Forms and Templates 4
A Defining Expected Service Life in Risk Management File Reliability Analysis - Predictions, Testing and Standards 5
C Defining Approvals Required for Design Control Documents ISO 13485:2016 - Medical Device Quality Management Systems 6
K Defining Acceptance Quality Level, I need clarity on AQL 1.5, 2.5, 4.0 AQL - Acceptable Quality Level 5
M Defining the lifetime of orthopedic implants joints Other Medical Device and Orthopedic Related Topics 2
C AS9100 rev D 8.5.1 c 2 - Defining the Machine in-process frequency per ANSI/ASQ Inspection, Prints (Drawings), Testing, Sampling and Related Topics 8
V Defining Safety Precautions for Category 4,5 Molecules Occupational Health & Safety Management Standards 2
E European Regulations defining the terms Repair and Refurbish EU Medical Device Regulations 5
T Defining Major vs. Minor Changes to Procedures ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
GStough Adequately Defining Which Suppliers to Audit and Frequency Supplier Quality Assurance and other Supplier Issues 8
E Quality Techucuan (Technician) in Electronics - Defining Postion Requirements Career and Occupation Discussions 4
moritz Defining a good Scope for Critical SOPs ISO 13485:2016 - Medical Device Quality Management Systems 7
T Standards for defining audible alarms/warnings for OR instruments IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
M Defining Critical Vs. Non-Critical Suppliers/Service Providers (API Q1, 9th. Ed.) Oil and Gas Industry Standards and Regulations 2
B IEC 60601-2-24 - Defining Storage Volume IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
E Defining Sub-Disciplines for Chemical Testing Laboratory Employee Proficiency Testing General Measurement Device and Calibration Topics 1
T Defining Nonconformances in a Service Organization ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
M Defining Reliability and Confidence Levels Reliability Analysis - Predictions, Testing and Standards 8
J Defining Martial Arts and Gymnastics Statistical Techniques Statistical Analysis Tools, Techniques and SPC 4
V Defining the criteria for equipment to be qualified or requalified Qualification and Validation (including 21 CFR Part 11) 2
R Need help on defining scope for Design Verification File for Class III IVD 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
J Defining CCP (Critical Control Points) in a Rice Mill Plant Food Safety - ISO 22000, HACCP (21 CFR 120) 9
S Process Map and defining KPIs Misc. Quality Assurance and Business Systems Related Topics 5
5 Major Nonconformance for not "clearly" defining the "device lifetime" ISO 13485:2016 - Medical Device Quality Management Systems 2
E Defining the lifetime of an Implantable Medical Device Other Medical Device and Orthopedic Related Topics 5
B Defining Expected Oxygen Leakage for Safety Testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
G Defining Post Mold Cure Ramp-Down Temperature Manufacturing and Related Processes 2
K Audit Nonconformity on Defining 'Outsourced' Infrastructure Maintenance Quality Manager and Management Related Issues 21
G Points to consider while defining the Quality Policy AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
G Defining Quality Objectives for Product Realization and Design and Development AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
S Developing Documentation and Defining Processes as Subcontractor IATF 16949 - Automotive Quality Systems Standard 6
C Defining ISO 9001:2008 Scope for a Sterilization Company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S Defining Skilled vs. Semi-Skilled vs. Unskilled Labor Manufacturing and Related Processes 1
I Defining the scope for ISO 9001 Registration - Software, Hardware and Customer Care ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
M Product Specification vs. Information Defining Product - The differences? 7.3.3.1 IATF 16949 - Automotive Quality Systems Standard 6
R Defining Interaction of Processes in a Software Company Software Quality Assurance 3
N Where to begin defining and monitoring Quality Metrics in a Machine Shop Manufacturing and Related Processes 9
A Testing Process Audit - Defining a Process Compliance Mechanism Software Quality Assurance 2
R Defining the type of Applied Part - Metal Probe (Applied Part) employs Water Cooling IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Defining the differences between Prototype vs. Production Guidelines? Contract Review Process 5
R Help defining Eyewear Customer Complaint Categories Customer Complaints 5
G Quality Objectives - Where to start defining Quality Objectives? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11

Similar threads

Top Bottom