There are currently, 13 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
Select Interface Language:
ISO 17799 Resources
There are now quite a few BS7799, ISO27001 and ISO 17799 portals on the web offering commercial tools & products. Possibly the most complete is ISO 17799 and ISO 27001 Central.
Call for Papers
We are shortly to launch a content section for papers and articles on ISO 17799 implementation, BS7799, AS4444, ISO 27001, UNE71502, and information security generally. If you have produced a paper and would like us to publish it, please contact us via the feedback form above.
ISO 27001, ISO 27002 & ISO17799 User Group: Forums
Posted: Wed Apr 28, 2004 7:26 pm Post subject: ISO 17799 & Scope
Does anybody have any advice on the scoping BS 7799. I am getting a lot of mixed messages. I am an InfoSec Officer for a very large Healthcare organisation in the UK (13,000 Staff, 100 Sites, 4,000 PC's, 200+ Information Systems)
How is it best to scope a project ?
I have been in contact with three different organisations, once scoped by Department, the other by Site and another by Business Process, all of which argue that there scoping is correct and the others have generated excess work and complexity.
... no text book answers quoting the standard please ;o)
The short answer is that they are all right. You can scope the BS7799 by either Business Process, Site or Department or company.
You need to identify your business requirement for an ISMS iaw BS7799.
Given the size of your orqanization you need to identify either an Business process or department.
An example: A large company need to be BS7799 compliant for BB reason. They identify the NOC (Network operation Centre) as the Scope of the project. They do this because it represent an achievable goal in the shortest time. So the State of Applicability is restricted to the NOC however the company can say that they are BS7799 compliant. It is only when another company asks for the State of Applicability will you understand where the certificate for BS7799 applies within that company.
I think the organization see you as a long term money making adventure. The more complex and excess work they generate the more money they can charge you.
FUD - Fear uncertainty and doubt is what some security leaders lean on to get budgets, don't let them.
I would do it defining a business process scope, starting with the process that supports the goals of the organization. If it is your first implementation, a well defined business process would be easier to handle.
My organisation has been registered to BS7799 since Nov 1999, we have had many audits since by our acceditors. Their advise to us has bee to continually increase the scope. They want to see as much of the companies related activities covered by the scope.
We started by taking a core activity and including the support activities that were critical to the effective operation of the activity.
This has however increased over time to cover most of the companies activities.
Joined: May 04, 2005 Posts: 1 Location: Massachusetts
Posted: Thu May 05, 2005 3:07 am Post subject: ISO17799 & Scope
Even "core systems" may be too broad for an initial effort. Perhaps if you identify what is of most value to you to protect (this may be relative to perceived risk) and start with the systems/processes that touch this particular information. For example, if confidentiality of patient information is critical, you would need to address processes/systems that handle/store/transmit that information - saving payroll, financials, etc. for Step 2.
In the US, the requirements of Sarbanes-Oxley may be the key driving force in implementing the standards, so we would look to the scope of that legislation for our first cut. We have some help here, as COSO (or, in IT, CObIT) has already been mapped to ISO17799, and that's what our auditors are looking at.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum