ISO/IEC 27001 - Issue during implementation of system

#1
Hi All,

ISO/IEC 27001 topics are new for me.
I would like to ask you for support in below question.

As a requirement of our customer we are implementing ISO/IEC 27001 in part of our organization. We are working in customer's systems on his network (some kind of database). The assets we would like to protect are information to which we have access via this system and data which we save in this system (on line working). For protect these assets we implemented required by customer controls.

In addition, to implement ISO/IEC 27001 we are creating procedures, polices, records which will be maintain on our network.
Key process is supported by processes such as facility management process, quality and hr.

Here my question comes:
In this case, is there a possibility to exclude our IT?

Thank you in advance for all responses.
 
Elsmar Forum Sponsor

mihzago

Trusted Information Resource
#2
what does your IT do? are they simply a help desk to assist your employees with computer issues or maintaining internal network that is completely separate from the customer, including data, documentation and interfaces? - then maybe, but if you're including HR and facilities management, then I don't know how you can justify excluding IT.

if your IT is involved in supporting or maintaining any resources (hardware, software, people) used for development or interface with the customer's system (for example you mentioned that you implemented controls required by the customer), then you definitely cannot exclude.
 
#3
In this case our IT is seperated from customer network.
All settings related to customer network were done by suppliers choosen by customer. All problems related with customer hardware, connection and base will be reported to customer's help desk.

ISMS documentation and records will be maintain in our base. To communication with customer we will use our e-mail accounts.
Facility management supports us in ACS and things related to buildings (like media, cleaning and security staff) .
HR - hiring employees and terminate of employment, training and maintaining personal files.
 

smohanarangan

Starting to get Involved
#4
Hi All,

ISO/IEC 27001 topics are new for me.
I would like to ask you for support in below question.

As a requirement of our customer we are implementing ISO/IEC 27001 in part of our organization. We are working in customer's systems on his network (some kind of database). The assets we would like to protect are information to which we have access via this system and data which we save in this system (on line working). For protect these assets we implemented required by customer controls.

In addition, to implement ISO/IEC 27001 we are creating procedures, polices, records which will be maintain on our network.
Key process is supported by processes such as facility management process, quality and hr.

Here my question comes:
In this case, is there a possibility to exclude our IT?

Thank you in advance for all responses.
I don't think we can exclude IT as most of control is for IT. You can include client dB as out-of-scope if it he being owned by client.
 
Thread starter Similar threads Forum Replies Date
Le Chiffre Is ISO/IEC 27001 appropriate for most small businesses? IEC 27001 - Information Security Management Systems (ISMS) 2
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
Richard Regalado ISO/IEC 27001:2016 Overview and Vocabulary - FREE! IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO/IEC 27001 Mandatory Documentation Checklist IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
L Where to purchase ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
K Information Classification Labeling - ISO/IEC 27001:2005 Labeling Requirements IEC 27001 - Information Security Management Systems (ISMS) 1
T ISO/IEC 27001 to ISO/IEC 12207 Mapping - Cross Reference Matrix IEC 27001 - Information Security Management Systems (ISMS) 2
Richard Regalado ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001 IEC 27001 - Information Security Management Systems (ISMS) 4
M BS ISO/IEC 17799:2005 and ISO 27001:2005: Any advice on value and implementation? Customer and Company Specific Requirements 4
R Who is the customer in the ISO/IEC 17025:2017? ISO 17025 related Discussions 1
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 7
I Approved Suppliers ISO/IEC 17025:2017 and used test equipment ISO 17025 related Discussions 6
S The (E) in ISO/IEC 17025:2017(E) ISO 17025 related Discussions 3
MDD_QNA QR Code Standard ISO/IEC 15417:2007 - Does anyone use it? Other Medical Device Related Standards 3
DuncanGibbons Who are ISO/IEC 17065 and 17025 applicable to? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
V IS/ISO/IEC 17025:2017 Clause 7, sub clause 7.11 Control of data and information management ISO 17025 related Discussions 1
V IS/ISO/IEC 17025:2017 Clause 4.1 Impartiality ISO 17025 related Discussions 3
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
S Relationship between IEC 62304 problem resolution and ISO 13485 IEC 62304 - Medical Device Software Life Cycle Processes 8
S When is the last date for transition to ISO/IEC 80079-34:2018? Other ISO and International Standards and European Regulations 0
M Informational ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 6
M Medical Device News ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 0
D Laboratory Manual ISO/IEC 17025 Example wanted ISO 17025 related Discussions 2
Douglas E. Purdy ISO/IEC 17025:2017 3rd Ed. Changes from 2nd Ed. ISO 17025 related Discussions 6
Douglas E. Purdy ISO/IEC 17025:2017 Clause 8 & Annex B ISO 17025 related Discussions 9
D IEC 60601-1 and ISO 14971 Assessment IEC 60601 - Medical Electrical Equipment Safety Standards Series 12
L What are the rules on significance of digits in numbers in IEC/ISO standards? IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
C Data Matrix and DPM (direct part marking) UDI Standards - ISO/IEC TR 29158 Other US Medical Device Regulations 2
T Is there any requirement to be compliant with IEC 62304 while implementing ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
Ajit Basrur Informational ISO/IEC 17025:2017 Published - November 2017 ISO 17025 related Discussions 8
G Effect of ISO9001 2015 transition on ISO IEC 80079-34 Other ISO and International Standards and European Regulations 2
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
M Does Calibration to ISO/IEC 17025 conform to Z540.3? ISO 17025 related Discussions 1
K ISO/IEC 27000, ISO 15408 and the DSS security clearance (FCL) -- Oh, My IEC 27001 - Information Security Management Systems (ISMS) 0
M IEC 62304, ISO 14971 and FDA Medical Device SW Guidance 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
K ISO 14971 and IEC 62304 - Medical Device Software House ISO 14971 - Medical Device Risk Management 9
A ISO/IEC process of revising the ISO IEC 20000 standards - Your chance to have a say IT (Information Technology) Service Management 1
P Where to start to helping other companies to get ISO IEC 27000? Consultants and Consulting 1
D ISO/IEC 17025 Implementation Workshop Ideas ISO 17025 related Discussions 2
M ISO 14971, IEC 60601 Satisfy 98/37/EC, 2006/95/EC, 2004/108/EC Directives? Other ISO and International Standards and European Regulations 3
M UDI (Unique Device Identifier) ISO/IEC 15459 (Unique Identifiers) Requirements Other US Medical Device Regulations 4
Q A Resource - Cheap Harmonised ISO and IEC Standards EU Medical Device Regulations 2
A ISO/IEC 20000 Toolkit For Academic Purpose IT (Information Technology) Service Management 6
Richard Regalado ISO/IEC 27000:2014 - Information technology - Overview and vocabulary (FREE download) IEC 27001 - Information Security Management Systems (ISMS) 4
E Upcoming changes for ISO 10993 and IEC 60601 in South Korea Other Medical Device Regulations World-Wide 2
Hershal ILAC is preparing to start the possible revision to ISO/IEC 17025 ISO 17025 related Discussions 2
Similar threads


















































Top Bottom