Implementing and Extending Your ISO 27001 Scope

The good news is that most organisations these days have some form of security controls in place. There will probably be a firewall, even if it’s the one provided by the ISP which is integrated into the wireless router. There will probably be some anti malware software in place, even if it’s some kind of free, introductory version. The bad news, is that while we are seeing increased awareness and adoption of controls, we still see plenty of companies with security issues and incidents.

One of the major underlying causes is that many companies do not have clear security objectives and a structure in which to implement them. In other words, there is no formal Information Security Management System (ISMS) which leads to a disjointed approach the selection and management of security controls.

Often, controls have been implemented in response to particular situations, or because that’s what everyone else seems to do. Also most organisations view information security as an IT or data security problem. Information assets such as paper records and people, for example, are not properly considered and this can lead to vulnerabilities.

The ISO 27001 standard was developed to address the management of security for all types of information assets, across the whole organisation. ISO 27001 helps organisations to create a management structure and a system that brings information security under control. As an ISO management standard ISO 27001 mandates certain requirements so that organisations who adopt that it can also choose to become formally certified as compliant with the standard.

ISO 27001 Requirements

ISO 27001 Requires that the Organisation:

Adopt a risk assessment approach to information security. Threats, vulnerabilities, likelihood and impact should be assessed for all information assets.

Determine whether the risks are acceptable or not according to the organisation’s ‘risk appetite’ and implement suitable security to treat the unacceptable risks.

Implement a continuous improvement process to ensure that the security controls remain effective and appropriate.

Our approach to ISO 27001 compliance

Typically, our approach to ISO 27001 engagements is to initially carry out a Gap Analysis of the existing security management system against the clauses and controls of the standard. This gives a clear picture where the organisation already complies with the standard, where some controls are in place but there is room for improvement and where required controls are missing.

For some organisations this is all the assistance that they require and they use the results of the analysis to improve the security management system. Sometimes, following the Gap Analysis, the organisation may require further advice, guidance and project management for the implementation of suitable controls in order to meet the standard, in preparation for certification by a UKAS accredited body.

Extending the ISMS Scope

ISO 27001 certification is related to a defined scope. So, for example, you may only certify one division or location or you may include the whole company. Over time the company may grow or change, or you may decide to extend the ISMS to cover more divisions, locations or new business functions.

Scope expansion is a common scenario and is something that we can also help organisations to achieve whilst avoiding the associated pitfalls.
For successful expansion of your ISMS scope you will need to consider the following for each new site or department:
Site/department specific threats and vulnerabilities in your ISMS risk assessment.
Rolling out information security training in your policies and procedures to the new site/department.
Start recording and monitoring security incidents for the new site/department.

Making sure they have adequate resources to be able to comply with the security policies. Examples might be shredders and lockable cabinets.

Although management of the ISMS will remain central, at head office perhaps, you may wish to appoint local security representatives to take responsibility for security policy compliance, training and incident reporting at the new location.

New locations will also need to be covered by your internal audit schedule and your external auditors will need to be informed of your intention to change the scope. Each new site will need to be visited, although this can be usually be done over a three year surveillance visit cycle.

If you would like help with security compliance, penetration testing or web security solutions, then feel free to please contact Krypsys on 01273 044072 or [email protected].

Leave a comment