Determining the Scope of the ISMS
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
7 hours 52 minutes
listen to 0.3.
Determining the scope off the ice Um s
a nice mess will be useless without a scope, and you won't be able to be certified unless you have a solid scope to find in this lesson, we're going to take a look at what, exactly? The scope of a nice mess is
what to consider with regards to defining your scope,
what to do with items out of your scope and considerations for documenting the scope.
So what is the scope?
A nice amiss will be pretty useless if the scope has not been clarified.
It is important to note what information as that you want to protect
and then to note where these information assets are produced, obtained, transferred, processed, stored and destroyed.
All the supporting assets processes and people will need thio
also be factored in this as this will set the boundaries for your script.
The scope is part of sub clause 4.3,
which is part of the overall clause for understanding the organization and its context.
The scope of the ice, um, establishes what is included in the ice mess what is specifically excluded from the ice mess and sets the physical and logical boundaries.
The scope is a key piece of documentation for a nice mess, especially ones that are going to be certified against Isis 27,000 and one.
It is important to remember that if the certification is to be used as a sales or marketing tool,
that the scope ties in properly with this.
For example, products or services that are sold from or managed by officers or sections off your organization which are specifically excluded from the certification scope
and the certificate once awarded,
cannot be used as a marketing tool for these
departments that are excluded.
The BSE, which managers and retains records of all isolators certifications achieved,
are quite strict on this point and monitor this.
Using a certificate to falsely advertise can jeopardize the validity off the existing certificate
along similar lines.
When you is an organization, rely on the ice oh certification off another organization. It is important to read and understand the scope that has been included as part of that certificate.
This will give you a clearer view on what has actually been included in the certification, as opposed to making assumptions about which part of the organization have been included in the ice mess.
So what exactly should be considered for your eyes? My scope?
Ideally, you want to think about what critical information your organization has.
This is jumping the gun a bit here at this point,
but you can tweet your scope afterwards once you have done your risk assessment and so forth.
Thinking about information that you want to protect
can make determining the scope easier.
For example, company proprietary information such as your research and development into a new project.
Where does this information get created?
Which teams are involved?
Where are these teams located?
What systems are they making use of
what infrastructure is hosting these systems?
Does this information go anywhere else in the organization
at a high level? Answering those questions gives an indication of what needs to be protected within the ice mess
and therefore, what? The scope of the ice, and they should cover
off course. You would want to do this for all the key information assets you are looking at protecting.
You will need to make a decision with the various key. I see Miss Stakeholders generally just the internal ones unless there is a key external stakeholder with the decision making ability for your SMS
about whether or not the full organization will be covered as part of the initial scope and implementation of the ice mess,
or whether the scope will first have an initial focus off certain areas and information within the business, with the remaining areas to be included in the ice mess in face approaches at a later stage.
This is a difficult question either way, but as long as the decision and rational behind it is documented,
you'll be OK in the audit.
Auditors do like to question the scope and understand the thinking behind why the scope was said out the way it waas.
So be prepared to have those discussions
and be able to answer the questions behind it
as we mentioned. Information is essential consideration for the scope of your Islamists.
Consider the departments and business units
infrastructure in information systems,
physical site locations
on third parties which may have to form part of the scope.
What do we do if items are out of scope?
So just this is an important Thio
define and document what will be included in the scope.
It is also important to document and define specific exclusions from the scope.
So why does one need to document this?
Just because something isn't stated in the scope does not mean it is automatically excluded.
This could appear as an oversight during an audit
showing documented evidence off the specific exclusions demonstrates that these exclusions have been formally considered.
Reasons for the exclusion should also be documented. This will help in showing that the consequences off excluding these are not severe or are not applicable or have been accepted.
This is a critical component to show stakeholders why various components have been excluded.
You can also include a high level roadmap or indication of Wendy's would be brought into the items if they are critical or if they are simply excluded. Due to being out of direct control of the organization,
it is considered as part of the risk assessment
and controls implementation.
For example, if your organization is a subsidiary on the organization and some mighty functions and infrastructure are wholly owned and managed by your group or parent company, and your organization simply makes use of these assets,
you may not have direct control over the patching process of servers,
however, the patching status off service is still something that directly affect the security posture of your organization Relying on these acids.
Either the infrastructure needs to be included in the scope somehow,
or a service level agreement between your organization and the department of the parent organization needs to be established if it is not already
and the service of an agreement included as part of the scope of the ice miss.
This demonstrates that although the direct control over the physical assets is not possible and therefore out of scope, but the control over the process and ensuring that the patching is in line with the requirements of the organization is demonstrated in the S L A and therefore that would be included.
So where or how should the scope be documented?
A formal document as part of the isthmus manual is recommended.
Your scope should be formally signed off and endorsed by senior management.
Your scope can be represented as a diagram off components
or is it written paragraph.
The scope you define will be included in your orders, reports and your certification.
Your certification only covers items that you have mentioned and included in the scope
you can have a standalone scope document
if you want.
Otherwise, include your scope and your scope exclusions in your Christmas manual.
This has benefits in that having ALS. The documentation, which is required for each clause in one manual, makes the maintenance of the documents so much easier
and also makes for a simple reference point.
A lot of the closes into link and provide context to each other, so keeping these together is often the best approach
we covered what the scope of a nice mess is and how it relates to your certification.
We also covered that out of scope items are permissible
with a few considerations to be aware of.
We covered what to consider and included in the scope of your SMS,
and we also covered a few tips for documenting the scope of your ice mess.