Social Icon
X

ISO ISMS Scope and Risk Assessment Scoping Questionnaire

Tego Secure IT Solutions | Cloud, Cybersecurity & IT Services > ISO ISMS Scope and Risk Assessment Scoping Questionnaire

ISO ISMS Scope and Risk Assessment Scoping Questionnaire

Whether you’re just starting the journey or are midway through, this post outlines the key steps you need to take to prepare for ISO 27001 certification efficiently and effectively, and how Tego can support your compliance efforts.

Address

Primary Contact

Name

Signatory Contact

Name

Explain the organization’s timeline for undergoing the following (Please provide goal dates for the following milestones.)

Does this initiative have the support from top management?
Will the ISO Project Team (IT and Tego Advisory) include, or have access to representatives from Senior Management, Regulatory Affairs, Quality Assurance and the Legal team?
Has a budget been established for the ISO Project?
Will staff be available to help draft policies/procedures/work instructions and provide evidence for audit/assessment? (potentially 25% of one FTE for six-eight weeks)
Are there other any major outsourcing or co-sourcing relationships between your organization and third parties (“subservice organizations”) that impact the delivery of the in-scope services?
Have you completed any previous third-party security reports? (e.g. SOC 2, NIST, etc.)
Do you have logical diagrams that would provide a depiction of the environment and customer data flows?

Scope of Certification

The scope of the certification is a descriptive statement that defines the boundaries of the Information Security Management System.
N/A, example for reference: The organization has categorized its office network and supporting systems which are located in LOCATION as a general support system (GSS) because it is an interconnected set of information resources under the same direct management control and shares common functionality and provides necessary IT infrastructure support. The organization has categorized its GSS as LOW according to Federal Information Processing Standard (FIPS) 199 categorization standards.  Even though this system is of low criticality, it requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, unauthorized access to, or modification of, the information in the application. 
N/A, example for reference: the Organization’s GSS is an information system that supports the general operations of the organization at its locations. It consists of a site-to-site WAN. Hosting of the GSS systems is in the local data center. The LANs are protected by firewalls and best practice network configuration. Best practice domain and application security protect the GSS systems. Endpoints are patched and run end-point protection.

Please enter additional required information (best estimate within the scope of the ISMS and Certification)

Are there any information security related contractual requirements placed upon your organizations at this time?

Infrastructure Inventory

Please provide a high-level description of the significant systems and application(s) that are considered to be within the scope of the SOC examination (optional).

Firewalls

Routers

Switches/Hubs

IDS/IPS Device

VPN Concentrators

Proxy Servers

Directory Servers

Virtualization Management (Hypervisors)

Web Servers

Application Servers

Storage Servers/Databases/Appliances

Centralized Log Management Server

Workstations with access to in scope environment

In-Scope Application #1

In-Scope Application #2

Regulatory requirements to which your organizations is subject