How To Define ISMS (information Security Management System) Scope

M

maurice

Except organization boundaries, any business application needs to be selected for ISMS implementation or certification scope?
my company's major business is software development service for customer, and no obvious or critical application existed.
 

AndyN

Moved On
Maurice - the scope of an ISMS is basically the type of information you seek to hold secure. If often comes from also defining the applicability of the ISMS controls. Have you done this? The 2 go hand-in-hand.
 
M

maurice

Thanks for reply.
So maybe the data or documents provided by customers for developing and testing application can be included? and the system to control those and source code is applicable too? like version or document control system
 

AndyN

Moved On
Thanks for reply.
So maybe the data or documents provided by customers for developing and testing application can be included? and the system to control those and source code is applicable too? like version or document control system

Those would be part of it.
 

ursindialtd

Registered
ISMS scope is probably one of the hottest topics since the 2013 revision of ISO 27001 was published, because it introduces some new concepts like interfaces and dependencies. ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks.
 

Marc

Fully vaccinated are you?
Leader
Doing a bit of reading, I understand:

Define/Identify internal and external issues defined in clauses 4.1 and 4.2​
Define/Identify internal and external dependencies​
A description of the company location(s)​

BSI's short take

General: ISO/IEC 27001 - Wikipedia

The official title of the standard is "Information technology — Security techniques — Information security management systems — Requirements"

ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action Annex A: List of controls and their objectives

This structure mirrors other management standards such as ISO 22301 (business continuity management) and this helps organizations comply with multiple management systems standards if they wish. Annexes B and C of 27001:2005 have been removed.

In addition:
Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. A very important change in ISO/IEC 27001:2013 is that there is now no requirement to use the Annex A controls to manage the information security risks. The previous version insisted ("shall") that controls identified in the risk assessment to manage the risks must have been selected from Annex A. Thus almost every risk assessment ever completed under the old version of ISO/IEC 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls. This is the main reason for this change in the new version.

There are now 114 controls in 14 clauses and 35 control categories; the 2005 standard had 133 controls in 11 groups.

A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security - 6 controls that are applied before, during, or after employment A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Information security aspects of business continuity management (4 controls) A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
The new and updated controls reflect changes to technology affecting many organizations—for instance, cloud computingbut as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.

Attached: Example scope document
 

Attachments

  • ISMS_iso27001_scope.pdf
    322.8 KB · Views: 795
Last edited:

Omprakashya

Registered
Hi Richard,

I m confused to check the policy fall under which team.

Need help on finding which control needs to be added
ISMS...Does this fall under Information Security team
Health and Safety ,,Does this fall under Admin team
What is ISMS apex manual ?
Who prepare the SOA and why its been done.
Can we do the changes in SOA and if yes then which other document get affected or may have to do the changes

Kindly help on this Query. I am very much keen to work and learn more n more on ISO 27k and security level

thanks
Om
 

Richard Regalado

Trusted Information Resource
Hi Richard,

I m confused to check the policy fall under which team.

Need help on finding which control needs to be added
ISMS...Does this fall under Information Security team - The responsibility for the implementation of control is dependent on the risk to be addressed. If it this an HR risk, then the control must be implemented and monitored by someone from the HR department.

Health and Safety ,,Does this fall under Admin team
What is ISMS apex manual ? There is no requirement for a manual for ISO/IEC 27001.

Who prepare the SOA and why its been done. The person responsible for developing the ISMS should prepare the SOA. That person is knowledgeable about the control implemented.
Can we do the changes in SOA and if yes then which other document get affected or may have to do the changes SOA is a document. As such it is subject to the same document control procedure as with all other documents in your organization.

Kindly help on this Query. I am very much keen to work and learn more n more on ISO 27k and security level

thanks
Om

Hello Om.

You have so many questions. :)
I will answer each one.
 

Omprakashya

Registered
Hi Richard, thank you so much for helping me on my query. I would be needing your kind help on few more points. I request you to please help me.
Soon I will post my query.
Take care.
Thank you very much
 
Top Bottom