We help IT Professionals succeed at work.

ISO 27001

83 Views
Last Modified: 2020-05-01
Hi, I am currently going through the initial phases of alligning to ISO 27001 for the purposes of being certified in this area.  My scope is quite small and in general all of the data will reside within Office 365, with Sharepoint and Teams being the main mechanisms or working.

With the various certifications achieved by Microsoft in this area, does this generally means that if Microsoft is ISO Certified, and their Statement of Applicability covers off most of my controls, acheiving the Certification for my company is a lot simpler?

Any advice on this would be great.

Thanks

Fingwong
Comment
Watch Question

btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:

Sort of if easier if all your data are stored and processed entirely in O365. 


The auditor will review the information asset inventory, consider the risks, their evaluation & treatments, and look for physical evidence that the organisation has satisfactorily implemented the controls it has claimed to address the risk.


Just be mindful of the below coverage as it can go beyond the tool


The SoA and Scope will cover the organisation’s products & services, its information assets, processing facilities, systems in use, people involved and the business processes, whether that is a virtual one person business or a multi-site international operation with thousands of staff.


It’s no good having an ISO certification with a Scope and SoA for a UK head office when the actual information processing risk is taking place in an offshore building with resources out of scope.


 That is actually one of the reasons why the certification bodies are now encouraging ‘whole organisation’ Scopes, which of course may mean a much broader and deeper statement of applicability is required.

 

Fing wongInformation Security Manager

Author

Commented:
My scope is determined based on the production of a single product and service for my business.

If my scope is narrow, and the information asset inventory included in the scope all reside in Office 365, as well having processes defined that people involved in the production all work within Office 365, then it should be quite straightforward to comply.

Does that make sense?

Thanks
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Fing wongInformation Security Manager

Author

Commented:
Very good point.  

Thanks
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.