Avatar of Fing wong
Fing wongFlag for United Kingdom of Great Britain and Northern Ireland asked on

ISO 27001

Hi, I am currently going through the initial phases of alligning to ISO 27001 for the purposes of being certified in this area.  My scope is quite small and in general all of the data will reside within Office 365, with Sharepoint and Teams being the main mechanisms or working.

With the various certifications achieved by Microsoft in this area, does this generally means that if Microsoft is ISO Certified, and their Statement of Applicability covers off most of my controls, acheiving the Certification for my company is a lot simpler?

Any advice on this would be great.


Microsoft 365ConsultingNetwork SecuritySecurity

Avatar of undefined
Last Comment
Fing wong

8/22/2022 - Mon

Sort of if easier if all your data are stored and processed entirely in O365. 

The auditor will review the information asset inventory, consider the risks, their evaluation & treatments, and look for physical evidence that the organisation has satisfactorily implemented the controls it has claimed to address the risk.

Just be mindful of the below coverage as it can go beyond the tool

The SoA and Scope will cover the organisation’s products & services, its information assets, processing facilities, systems in use, people involved and the business processes, whether that is a virtual one person business or a multi-site international operation with thousands of staff.

It’s no good having an ISO certification with a Scope and SoA for a UK head office when the actual information processing risk is taking place in an offshore building with resources out of scope.

 That is actually one of the reasons why the certification bodies are now encouraging ‘whole organisation’ Scopes, which of course may mean a much broader and deeper statement of applicability is required.


Fing wong

My scope is determined based on the production of a single product and service for my business.

If my scope is narrow, and the information asset inventory included in the scope all reside in Office 365, as well having processes defined that people involved in the production all work within Office 365, then it should be quite straightforward to comply.

Does that make sense?


Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Fing wong

Very good point.  

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes