User
What are the steps to define the ISMS scope?
Experta
To comply with clause 4.3 Determining the scope of the information security management system, you need to define the ISMS scope - follow these steps:
1. Decide if your whole company will be included in the ISMS scope, or only a part of the company
2. (if only a part of the company is included) Take into account the security requirements for setting the ISMS scope
3. (if only a part of the company is included) Take into account internal context - where is the most sensitive information processed, etc.
4. (if only a part of the company is included) Take into account if the scope is feasible in terms of departments, physical locations, and processes by analyzing dependencies and interfaces.
5. Define what should be excluded from the ISMS scope.
6. Write the ISMS Scope document.