ISO 17799 & Scope

[NCooper]

Does anybody have any advice on the scoping BS 7799. I am getting a lot of mixed messages. I am an InfoSec Officer for a very large Healthcare organisation in the UK (13,000 Staff, 100 Sites, 4,000 PC's, 200+ Information Systems)

How is it best to scope a project ?

I have been in contact with three different organisations, once scoped by Department, the other by Site and another by Business Process, all of which argue that there scoping is correct and the others have generated excess work and complexity.

... no text book answers quoting the standard please ;o)

[CSO]

The short answer is that they are all right. You can scope the BS7799 by either Business Process, Site or Department or company.

You need to identify your business requirement for an ISMS iaw BS7799.

Given the size of your orqanization you need to identify either an Business process or department.

An example: A large company need to be BS7799 compliant for BB reason. They identify the NOC (Network operation Centre) as the Scope of the project. They do this because it represent an achievable goal in the shortest time. So the State of Applicability is restricted to the NOC however the company can say that they are BS7799 compliant. It is only when another company asks for the State of Applicability will you understand where the certificate for BS7799 applies within that company.

I think the organization see you as a long term money making adventure. The more complex and excess work they generate the more money they can charge you.

FUD - Fear uncertainty and doubt is what some security leaders lean on to get budgets, don't let them.

CSO

[bbandolero]

I would do it defining a business process scope, starting with the process that supports the goals of the organization. If it is your first implementation, a well defined business process would be easier to handle.

[JohnG]

My organisation has been registered to BS7799 since Nov 1999, we have had many audits since by our acceditors. Their advise to us has bee to continually increase the scope. They want to see as much of the companies related activities covered by the scope.

We started by taking a core activity and including the support activities that were critical to the effective operation of the activity.

This has however increased over time to cover most of the companies activities.

[NCooper]

... of course they want you to expand you scope ... the bigger your scope the more audit ... the more audit ... the more time they have to spend auditing ... the more money they get.

I would keep your scope to your core systems unless the benifits of BS 7799 scope expansion outweigh the risks ... bs 7799 scope should meet business objectives not auditor objectives.

[Karen]

Even "core systems" may be too broad for an initial effort. Perhaps if you identify what is of most value to you to protect (this may be relative to perceived risk) and start with the systems/processes that touch this particular information. For example, if confidentiality of patient information is critical, you would need to address processes/systems that handle/store/transmit that information - saving payroll, financials, etc. for Step 2.

In the US, the requirements of Sarbanes-Oxley may be the key driving force in implementing the standards, so we would look to the scope of that legislation for our first cut. We have some help here, as COSO (or, in IT, CObIT) has already been mapped to ISO17799, and that's what our auditors are looking at.