How To Define ISMS (information Security Management System) Scope

#1
Except organization boundaries, any business application needs to be selected for ISMS implementation or certification scope?
my company's major business is software development service for customer, and no obvious or critical application existed.
 
Elsmar Forum Sponsor
#2
Maurice - the scope of an ISMS is basically the type of information you seek to hold secure. If often comes from also defining the applicability of the ISMS controls. Have you done this? The 2 go hand-in-hand.
 
#3
Thanks for reply.
So maybe the data or documents provided by customers for developing and testing application can be included? and the system to control those and source code is applicable too? like version or document control system
 
#4
Thanks for reply.
So maybe the data or documents provided by customers for developing and testing application can be included? and the system to control those and source code is applicable too? like version or document control system
Those would be part of it.
 
#5
ISMS scope is probably one of the hottest topics since the 2013 revision of ISO 27001 was published, because it introduces some new concepts like interfaces and dependencies. ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks.
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#6
Doing a bit of reading, I understand:

Define/Identify internal and external issues defined in clauses 4.1 and 4.2​
Define/Identify internal and external dependencies​
A description of the company location(s)​

BSI's short take

General: ISO/IEC 27001 - Wikipedia

The official title of the standard is "Information technology — Security techniques — Information security management systems — Requirements"

ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action Annex A: List of controls and their objectives

This structure mirrors other management standards such as ISO 22301 (business continuity management) and this helps organizations comply with multiple management systems standards if they wish. Annexes B and C of 27001:2005 have been removed.
In addition:
Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. A very important change in ISO/IEC 27001:2013 is that there is now no requirement to use the Annex A controls to manage the information security risks. The previous version insisted ("shall") that controls identified in the risk assessment to manage the risks must have been selected from Annex A. Thus almost every risk assessment ever completed under the old version of ISO/IEC 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls. This is the main reason for this change in the new version.

There are now 114 controls in 14 clauses and 35 control categories; the 2005 standard had 133 controls in 11 groups.

A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security - 6 controls that are applied before, during, or after employment A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Information security aspects of business continuity management (4 controls) A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
The new and updated controls reflect changes to technology affecting many organizations—for instance, cloud computingbut as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.
Attached: Example scope document
 

Attachments

Last edited:
#8
Hi Richard,

I m confused to check the policy fall under which team.

Need help on finding which control needs to be added
ISMS...Does this fall under Information Security team
Health and Safety ,,Does this fall under Admin team
What is ISMS apex manual ?
Who prepare the SOA and why its been done.
Can we do the changes in SOA and if yes then which other document get affected or may have to do the changes

Kindly help on this Query. I am very much keen to work and learn more n more on ISO 27k and security level

thanks
Om
 

Richard Regalado

Trusted Information Resource
#9
Hi Richard,

I m confused to check the policy fall under which team.

Need help on finding which control needs to be added
ISMS...Does this fall under Information Security team - The responsibility for the implementation of control is dependent on the risk to be addressed. If it this an HR risk, then the control must be implemented and monitored by someone from the HR department.

Health and Safety ,,Does this fall under Admin team
What is ISMS apex manual ? There is no requirement for a manual for ISO/IEC 27001.

Who prepare the SOA and why its been done. The person responsible for developing the ISMS should prepare the SOA. That person is knowledgeable about the control implemented.
Can we do the changes in SOA and if yes then which other document get affected or may have to do the changes SOA is a document. As such it is subject to the same document control procedure as with all other documents in your organization.

Kindly help on this Query. I am very much keen to work and learn more n more on ISO 27k and security level

thanks
Om
Hello Om.

You have so many questions. :)
I will answer each one.
 
#10
Hi Richard, thank you so much for helping me on my query. I would be needing your kind help on few more points. I request you to please help me.
Soon I will post my query.
Take care.
Thank you very much
 
Thread starter Similar threads Forum Replies Date
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
M Define voltage and frequency to perform tests 61010-1 and 61326-1 for CE certification CE Marking (Conformité Européene) / CB Scheme 4
I Sampling processes - Who must define the AQL level? AQL - Acceptable Quality Level 9
V Who should define and own the Design and Development Plan and how to maintain the updates and revisions. ISO 13485:2016 - Medical Device Quality Management Systems 2
S API Spec Q1 - How to define Management Representative competency for QMS Oil and Gas Industry Standards and Regulations 12
K How to define Expected life service life of medical device Other Medical Device Related Standards 4
S How to Define Importers under EU MDR / Brexit EU Medical Device Regulations 3
MrPhish Should Potential Customer Complaint Outcome Define Registrar NC Rating? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
K ISO 9001:2015 clause 9.2.2 a. - Define the audit criteria and scope Internal Auditing 2
Q QI Macro Histogram - Can someone define *sorted data*? Capability, Accuracy and Stability - Processes, Machines, etc. 7
H How to define Root Cause when some points are out of control chart Statistical Analysis Tools, Techniques and SPC 6
I How do you define Risk (Medical Device)? ISO 14971 - Medical Device Risk Management 30
M SOP or template for a study to Define Storage Conditions of Orthopaedic Implants EU Medical Device Regulations 3
D Definition Client - How does the government define their clients? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 1
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
G How to define the scope of QMS as per ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 21
R How to define QMS certification scope statement? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
R Review of "Key Data" for contract labs, but SOP doesn't define "key data". Problem? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
G Procedure to define Signing Authority for Procurement Limits ISO 13485:2016 - Medical Device Quality Management Systems 2
P Can a company define new quality standards for special industry ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
L Are there any requirements to define barcode requirements ? Misc. Quality Assurance and Business Systems Related Topics 2
X How to define Calibration Acceptance Criteria General Measurement Device and Calibration Topics 3
H ISO 17025 - How to define a "Test Equipment" ? ISO 17025 related Discussions 2
J Where do you define Internal Auditor qualifications? Internal Auditing 9
V Is there an approach to define the "must 'or' should" in supplier audits? US Food and Drug Administration (FDA) 2
T Internal Audit - How to define the Importance of Departments and Processes Internal Auditing 8
T Help me understand how to define Processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 40
L How to define R & D Receiving (Incoming) Inspection Plan Design and Development of Products and Processes 18
B How to define and implement Configuration Management Document Control Systems, Procedures, Forms and Templates 5
C How to Define and Document Controls of Outsourced Processes Food Safety - ISO 22000, HACCP (21 CFR 120) 5
S Please help me define training requirements for a Career in Regulatory Affairs 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
K How to define the Acceptances Criteria for all equipment? Manufacturing and Related Processes 7
L Definition Program - How do you define Program with regard to ISO 9001? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
A Supplier Evaluation SOP - How do I Define Major and Minor Suppliers? Supplier Quality Assurance and other Supplier Issues 14
Q Where to define Authorities and Responsibilities in Documentation? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
J Define Energy Used/Delivered - Applicable to Electrical or Mechanical Power or both? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
R 820.50 (A) (2)Define the Type and Extent of Control to be exercised over Vendor Misc. Quality Assurance and Business Systems Related Topics 5
A Where to define Process Tailoring Form used in CMMI in the ISO 9001 Quality Manual? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Q Criteria to define QMS processes in ISO/TS 16949:2009 IATF 16949 - Automotive Quality Systems Standard 23
S How to define New Equipment? Device is Returned, Refurbished or Repaired Misc. Quality Assurance and Business Systems Related Topics 3
C Controlling Documents: Beyond the standard, how do we truly define what to control ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
C How to define Process Special Characteristics (SC) FMEA and Control Plans 4
kedarg6500 What is the meaning of "define/defined" in ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
Crusader Local Control Document procedure....define it or not? Document Control Systems, Procedures, Forms and Templates 24
M Excel Templates for Plan & Define Phase in NPI Process for Tire Manufacturer Excel .xls Spreadsheet Templates and Tools 1
R Define Data from Taguchi to Response Surface Methodology in Minitab Using Minitab Software 2
K How to define PVC Pellet Quality Manufacturing and Related Processes 8
J How to define a Product's Realization Process and Scope ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S How to define Permissible Error for Measurement and Test Equipment? Measurement Uncertainty (MU) 3
I Any Ideas To Define The Root Cause of Corrosion Issue? Manufacturing and Related Processes 12

Similar threads

Top Bottom