There are currently, 22 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
Select Interface Language:
ISO 17799 Resources
There are now quite a few BS7799, ISO27001 and ISO 17799 portals on the web offering commercial tools & products. Possibly the most complete is ISO 17799 and ISO 27001 Central.
Call for Papers
We are shortly to launch a content section for papers and articles on ISO 17799 implementation, BS7799, AS4444, ISO 27001, UNE71502, and information security generally. If you have produced a paper and would like us to publish it, please contact us via the feedback form above.
ISO 27001, ISO 27002 & ISO17799 User Group: Forums
Joined: Jul 29, 2004 Posts: 6 Location: Bangalore - India
Posted: Thu Jul 29, 2004 8:29 pm Post subject: Scoping
I am attempting to define the minimum scope required for BS7799 certification for the organization I work for. I am up against a wall because we are trying to isolate IT from the scope - but all the processes defined within the scope use IT applications and Server space. Is this a problem? Or can i seperate the 2? More importantly - am I approaching this the right way?
Posted: Fri Sep 17, 2004 1:37 am Post subject: Scoping
IT cuts right through the organisation and is one of the main information delivery and processing tools so it's going to be difficult to isolate it from the 7799 scope. Really what you need to do first is start a little higher. Remember that BS7799 is a quality standard and as with all quality standards the main reason for adoption is to A/ Increase sales B/ reduce losses so you start at that point with a business/Information risk assessment i.e. what Information/processing assets are important to the business and what role do they play. Is it the availability of information thatís important, what will happen to what areas of the business if Information isn't available or is not correct, do you rely on ecommerce for revenue, if so how much does it bring in, what regulations do you have to adhere to and what will happen if you don't comply.
From this type of questioning you can then start to see the important Information/processing assets and the IT that is relevant to these assets.
This will help define the scope and understand the relationship with the IT. I really don't think that you can completely isolate IT and really shouldn't be doing so as the two are inherently linked.
I have a similar question too: my company wants to put a scope on its IT department, and we are not an IT company, and I keep telling them it would be a wrong scope, but they think this way: if information is kept in their IT systems, and the IT supports all other processes, why shouldn't we scope the IT and then force everything else from the IT (all the way to deputies' clean desk policies)?
And they say - standard is almost all about IT anyways, so why bother... we can push it all from IT... and the CEO wants it that way too. What to do?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum