<div>
Sort of if easier if all your data are stored and processed entirely in O365.&nbsp; <blockquote><span style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; background: 0px 0px rgb(255, 255, 255); font-size: 14px; vertical-align: baseline; text-size-adjust: 100%; color: rgb(102, 102, 102); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-weight: 400;">The auditor will review the <a href="https://www.isms.online/iso-27001/information-asset-inventory/" rel="ugc" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; background: 0px 0px rgb(255, 255, 255); font-size: 14px; vertical-align: baseline; text-size-adjust: 100%; color: rgb(46, 163, 242); text-decoration: none; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 500; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;">information asset inventory,</a><span style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; background: 0px 0px rgb(255, 255, 255); font-size: 14px; vertical-align: baseline; text-size-adjust: 100%; color: rgb(102, 102, 102); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; font-weight: 400;">&nbsp;consider the risks, their evaluation &amp; treatments, and look for physical evidence that the organisation has satisfactorily implemented the controls it has claimed to address the risk.</blockquote> Just be mindful of the below coverage as it can go beyond the tool <span style="color: rgb(102, 102, 102); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">The SoA and Scope will cover the organisation’s products &amp; services, its information assets, processing facilities, systems in use, people involved and the business processes, whether that is a virtual one person business or a multi-site international operation with thousands of staff. <span style="color: rgb(102, 102, 102); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">It’s no good having an ISO certification with a Scope and SoA for a UK head office when the actual information processing risk is taking place in an offshore building with resources out of scope. <span style="color: rgb(102, 102, 102); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">&nbsp;That is actually one of the reasons why the certification bodies are now encouraging ‘whole organisation’ Scopes, which of course may mean a much broader and deeper statement of applicability is required.<span style="color: rgb(102, 102, 102); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">&nbsp;
</div>

<div>
My scope is determined based on the production of a single product and service for my business. 
 
If my scope is narrow, and the information asset inventory included in the scope all reside in Office 365, as well having processes defined that people involved in the production all work within Office 365, then it should be quite straightforward to comply. 
 
Does that make sense? 
 
Thanks
</div>

Information Security Manager

Fing wong

<div>
Very good point. &nbsp; 
 
Thanks
</div>

<div>
<div class="content wysiwyg-content">
Hi, I am currently going through the initial phases of alligning to ISO 27001 for the purposes of being certified in this area. &nbsp;My scope is quite small and in general all of the data will reside within Office 365, with Sharepoint and Teams being the main mechanisms or working. 
 
With the various certifications achieved by Microsoft in this area, does this generally means that if Microsoft is ISO Certified, and their Statement of Applicability covers off most of my controls, acheiving the Certification for my company is a lot simpler? 
 
Any advice on this would be great. 
 
Thanks 
 
Fingwong
</div>
</div>

Hi, I am currently going through the initial phases of alligning to ISO 27001 for the purposes of being certified in this area.  My scope is quite small and in general all of the data will reside within Office 365, with Sharepoint and Teams being the main mechanisms or working.

With the various certifications achieved by Microsoft in this area, does this generally means that if Microsoft is ISO Certified, and their Statement of Applicability covers off most of my controls, acheiving the Certification for my company is a lot simpler?

Any advice on this would be great.

Thanks

Fingwong

ISO 27001

Office 365 is a group of software plus services subscriptions that provides productivity software and related services to its subscribers. Office 365 allows the use of Microsoft Office apps on Windows and OS X, provides storage space on Microsoft's cloud storage service OneDrive, and grants 60 Skype minutes per month. Office 365 includes e-mail and social networking services through hosted versions of Exchange Server, Skype for Business Server, SharePoint and Office Online, integration with Yammer, as well as access to the Office software. All of Office 365's components can be managed and configured through an online portal; users can be added manually, imported from a CSV file, or Office 365 can be set up for single sign-on with a local Active Directory using Active Directory Federation Services.

Microsoft 365

A consultant is a professional who provides professional or expert advice in a particular area such as security (electronic or physical), management, education, accountancy, law, human resources, marketing and public relations, finance, engineering, science or any of many other specialized fields.

Consulting

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.

Network Security

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.