Defining Security Interfaces for Scope for ISMS - Need help

[ndabbot]

Hi,
I am currently in a process of defining scope for ISMS. We are covering only IT department within our organisation. I have downloaded ISO27K toolkit with scope samples and have a problem with the following:
define security interfaces for information flows and processes that span or extend beyond the in-scope area to the remainder, since everything outside the scoped area is relatively untrustworthy

Can anybody point me to some examples of how to correctly define such interfaces?

 

[keres]

By my opinion doesn't have any sense if it is not covered the entire company. Not only one department.

 

[Marc]

Hi,
I am currently in a process of defining scope for ISMS. We are covering only IT department within our organisation. I have downloaded ISO27K toolkit with scope samples and have a problem with the following:
define security interfaces for information flows and processes that span or extend beyond the in-scope area to the remainder, since everything outside the scoped area is relatively untrustworthy

Can anybody point me to some examples of how to correctly define such interfaces?

I'm not sure what you mean by "...how to correctly define such interfaces...". I'm not an IT person and am not an ISO 27000 person. Hopefully someone in the field will help out with this one. I would like to see an example of a Scope Statement for ISO 27000 as well.

Personally, when ever I defined a Scope Statement for something (ISO 9001 or a project or what ever) I didn't specifically address inputs and outputs from other departments. Essentially I looked at them as suppliers and evaluated them as such. I would think in IT inputs from outside the scope would be evaluated for Risk and other relevant factors in the same way risks associated from the outputs to "customers" would be evaluated.

Supplier --> Inputs --> Process(es) --> Outputs --> Customer

My apologies for not being able to personally help with your specific information / help request. My Thanks in advance to anyone who can help by providing an example of a Scope Statement for ISO 27000 and/or can help with this one.

 

[Richard Regalado]

Hi,
I am currently in a process of defining scope for ISMS. We are covering only IT department within our organisation. I have downloaded ISO27K toolkit with scope samples and have a problem with the following:
define security interfaces for information flows and processes that span or extend beyond the in-scope area to the remainder, since everything outside the scoped area is relatively untrustworthy

Can anybody point me to some examples of how to correctly define such interfaces?

Even though your scope is ONLY IT you cannot run away from the other interfacing business units of your organization.

Section A.8 which pertains to Human Resources Security includes such controls as hiring, terms and conditions of employment, background checks and others. Unless the afore-mentioned controls are being done by the IT department (your scope), your HR department is an interfacing business unit.

Section A.9 is Physical and Environmental Security and outlines the controls needed to preserve CIA at the physical level. Can IT perform physical security duties as well?

Section A.6 include a particular control called Authorization Process for New Information-processing facilities. Do you purchase your own IT equipment? I doubt. Then your procurement or purchasing business is an interfacing business unit.

I use Visio in defining the interfaces to my scope. Try it.

Oh and before I forget, do you have an offsite backup storage for your data? The provider for this service is an external interfacing entity.

p.s. You have to manage these interfaces within your ISMS.

 

[AndyN]

By my opinion doesn't have any sense if it is not covered the entire company. Not only one department.

The 'nice' thing about ISO 27001 is that it can be very specific to a particular scope ISMS doesn't actually have to apply to 'the whole' company, frankly! This is NOT like an ISO 9001 QMS!

 

[Richard Regalado]

The 'nice' thing about ISO 27001 is that it can be very specific to a particular scope ISMS doesn't actually have to apply to 'the whole' company, frankly! This is NOT like an ISO 9001 QMS!

ISO 9001 can be implemented on a single business unit or a product line as well and not the whole company.

 

[AndyN]

ISO 9001 can be implemented on a single business unit or a product line as well and not the whole company.

That CAN be done. However, if you want to be certified, with a credible certificate, then it's highly unlikely that would work! Indeed, ISO/TS 16949 certification doesn't allow for 'ring fencing'!

 

[ndabbot]

Hi, thanks for your inputs. My research shows that scope is actually a different thing from what has been explained during Lead Implementer course. Could anybody point me to correct thread on how to work out scope document with possible examples on how actual document looks like?

 

[AndyN]

Hi, thanks for your inputs. My research shows that scope is actually a different thing from what has been explained during Lead Implementer course. Could anybody point me to correct thread on how to work out scope document with possible examples on how actual document looks like?

Let me take a look for you. My company has registered a number of organizations to ISO 27000, so I'll take a look for some actual scope statements. "Please wait, while I put you on hold..."

 

[AndyN]

Scopes may be worded along these lines:

"Secure Repository environment for monitoring, measuring and directing the security of client marketing information"

"The design and development of software, services, and solutions, for wireless messaging, navigation and location technologies. The design, development integration, and installation of hardware and maintenance services for satellite communication services."

"Post Production Division: Provides Information Security Direction, Control, and Governance to the XXXX Client Content Environment In accordance with the XXXX, Inc. Statement of Applicability version N dated, AA/BB/ZZZ"