4

My company would like to be ISO 27001 certified, so we have started a preliminary study and are now working on a draft ISMS scope in accordance with the standard (context of the company, interested parties, boundaries ...).

Several things remains unclear to me for which I would like to get some help for a better understanding of what has to be included or not into the scope and other potential consequences:

  1. Locations: The unique company office location is in scope (small office), but should we also include the data center location where some assets are hosted? Note that this is not our own data center, but is outsourced (the company rents some racks to a local datacenter provider).

  2. Out of scope: The company holds also shares in another company which is located within the same office/premises. We can consider "shared premises", because people from this other company can access the whole office (only access control is in place at the main entrance).
    From a network point of view, the second company is isolated on a dedicated DMZ with no access to my company network (still have to be confirmed, they may use a shared printer at least).

My first assessment was to exclude the second company from the scope (including the dedicated DMZ), but after some more thinking it does not appear so easy to decide, since people can move everywhere within our office ...

  • Is this something that will be raised through the risk analysis and treatment plan (conclusion will likely be to isolate physically this second company or to move it elsewhere)?
  • What about the dedicated DMZ on a firewall in scope if it is out of scope (unsecure network)?
Vilican
  • 2,703
  • 8
  • 21
  • 35
  • 1
    I would almost certainly say that the second company is "in scope", in that you need to certify that their physical security controls and policies (or lack of them) don't impact you. – Polynomial Sep 04 '15 at 15:45

2 Answers2

2

27001 (2005 or 2013) is less prescriptive than most people seem to think. It is completely up to you how you set the scope, just remember that it will appear on your certificate.

If the external stakeholders (customers, partners, shareholders) invested in your certification don't think it is sufficient then the certification itself might be useless for your purposes.

If the second company is out of scope, then the auditor won't consider it of itself during assessment. Its policies, procedures and controls won't be relevant.

However, that isn't to say that things excluded won't cause you some problems indirectly. You rightly mention other people having access to your workspace might be a problem.

Section 11 deals with this element: 11.1.1 (Physical Perimeter Security) and 11.1.3 (Securing offices, rooms and facilities) are where you will need to demonstrate effective controls on your Statement of Applicability.

The standard does not prescribe what the controls are, merely that you should have them. An auditor's job is to prove that you have them and that they are not obviously ineffective - not that they are effective.

The problem certainly isn't insurmountable. A range of controls around auto-locking screens, 802.1x on network interfaces and employees reporting any information security incidents pertinent to the presence of the other company's employees is likely to be enough to satisfy an auditor in most cases.

Indeed, in some organisations working with privileged information with members of the public present is necessary (the booths on the floors of retail banks, for example) and that is not a barrier to obtaining 27001 certification. Of course, lots will depend on your environment and your auditor.

UKAS auditors tend to be the most stringent but at the end of the day play by the same rules -- is there a control? Is there evidence it isn't working?

Finally, to your datacentre point: as an Information Processing facility it will impossible avoid repeated mention during audit. If the facility itself is 27001 certified (doesn't matter on the version) then all you need to do is produce their certificate and Statement of Applicability. If it is not, then it is likely the auditor will want to visit to test the security they provide on your behalf.

alifen
  • 41
  • 3
0
  1. Certificates should be issued to a legal entity, so the second company should be out of scope. This assumes they will not be adhering to your ISMS requirements. If there was a business relationship between the two companies, like they have the same owner, then you may be able to certify both, operating under the same ISMS, subject to unusual confidentiality arrangements.
  2. This means that you need to protect your information both logically (which you state and I assume you mean they are on a seperate network altogether) and physically. The latter looks like you have problems, with both company staff intertwined.
  3. The datacentre is in-scope and may be visited by the auditor, or the contractual and security arrangements reviewed at a minimum. (Do they host or provuide a full managed service. However the scope on your certificate is unlikely to mention this secondary location.
Phil
  • 1