ISO 27001 Lab Series: Documenting the Scope of An Organization’s ISMS
Welcome back to the series. So far, we have established some context for our use case. The next activity would be to understand the scope of the ISMS we’re to implement for DevEngineers. We will also need to get at least a high-level timeframe for implementation.
The "scope" of the ISMS is simply the areas of the organization that are within your "jurisdiction,” let’s say. Now, you might say, but you should have insight into business processes, right? and I’ll say ideally yes, but in real life, you will find that the management of an organization would spell out the areas they are willing to invest in.
To fully understand the scope of the ISMS, you need to consider the human resources at the organization, business units, assets, products, and services offered, interdependencies, and process workflows relevant to that organization. The scope we will be working with for DevEngineers is all on-premise information assets. These areas will be documented in the Statement of Applicability document.
We will identify the scope by taking these three steps:
- Identify the areas, systems, and locations where information is stored on-site.
- Identify the interdependencies within these areas, systems, and locations (on-site dependencies, of course).
- Identify what is out of scope.
The scope we will embark on will be listed below. The first piece of information you need would be the existing assets that DevEngineers possess. You cannot protect what you don’t know exists; therefore, it is key to adopting an ISMS that you carry out an asset inventory. For DevEngineers, these assets would include:
- Intellectual Property
- Client Data
- Information Technology Infrastructure
- Human Resources (capacity and skills)
Intellectual Property
We need to have an understanding of the assets that fall under the scope of the ISMS. The critical assets for DevEngineers include intellectual property (IP). These IPs are intangible assets related to their software products. They consist of the blood and sweat of the DevEnginners Development team that make their software unique and valuable, such as:
1. Source code: This is the heart of all software from DevEngineers—the actual programming language instructions that make it function. Copyright law protects source code, granting the DevEngineers exclusive rights to reproduce, distribute, modify, or display it. More on copyright laws later.
2. User interface (UI) and user experience (UX): The signature looks and feel of software; this includes visual elements, layout, and interaction design. These can be protected through design patents if they meet specific criteria. The interfaces of software like Instagram, Facebook, and Twitter are unique, and DevEngineers strive to have a unique UI, making it important to protect it.
3. Trade secrets: I call trade secrets the “special sauce” that no company wants anyone to know about. Let me give an example: nobody except Mr. Krabs and SpongeBob know the Krabby Patty secret formula :) To be more serious, the formula for Coca-Cola is only known to a few people on earth. Imagine if that information fell into the hands of a competitor like Pepsi. Confidential information, like algorithms, formulas, or specific implementation details not readily available to others, that give the DevEngineers a competitive edge must be protected at all costs.
4. Trademarks: Logos and symbols that identify the software from DevEngineers distinguish it from competitors, bringing about the need for registering these trademarks, which strengthens protection and allows for legal action against infringers.
5. Patents: As a software development company, DevEngineers goals are to solve client problems. Inventions with technical innovations that provide unique functionality or solve a technical problem in a new way can be patented for a limited period, granting exclusive rights to use, manufacture, sell, or import the invention, emphasizing the importance of registering and protecting these patents.
Client Data
We also need to consider client data, or client PI, such as user data (names, addresses, national identity numbers, etc.), as critical to DevEngineers. Controls need to be put in place to protect client data, and there are many considerations to make. These will be fully fleshed out in the controls section of the process.
Personal Identifiable Information (PII): DevEngineers are the custodians of information such as client names, addresses, phone numbers, email addresses, and other personal details necessary for client identification and communication. Regulations, standards, and best practices with regards to managing PII will be identified and implemented.
User Account Information: DevEngineers will also handle usernames, passwords, and account preferences associated with client-specific applications or platforms.
Financial Data: Payment information, credit card numbers, billing addresses, and other financial details relevant to transactions processed through client applications.
Business and Operational Data: Business records, transaction histories, inventory data, sales figures, and other operational information required for managing and analyzing business processes.
Information Technology Infrastructure
Network Infrastructure: local area network (LAN) and wide area network (WAN) components to facilitate internal communication, data transfer, and access to external resources.
Switches, routers, firewalls, and other network devices to manage network traffic and ensure security.
Hardware Resources: Servers for hosting development environments, client applications, databases, and other critical services.
Workstations, laptops, and mobile devices for developers, project managers, and other staff members.
Storage devices, such as network-attached storage (NAS) or storage area networks (SANs), are used for storing project files, code repositories, and data backups.
Development Tools and Software: Integrated development environments (IDEs), code editors, compilers, and debugging tools for software development.
Version control systems (e.g., Git) for managing source code repositories and collaboration among developers.
Project management software for planning, tracking, and managing software development projects.
Cloud Services: cloud computing platforms, such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP), for scalable infrastructure and deployment of cloud-based applications.
Software as a Service (SaaS) solutions for collaboration, communication, and productivity (e.g., Office 365, G Suite).
Security Infrastructure: Endpoint protection software, firewalls, intrusion detection and prevention systems (IDPS), and other security tools to safeguard against cyber threats.
Secure remote access solutions, such as virtual private networks (VPNs), for remote workers and secure client connections.
Security information and event management (SIEM) systems for monitoring and analyzing security events across the infrastructure.
Backup and Disaster Recovery Systems: Regular data backups and backup systems are necessary to ensure data integrity and facilitate recovery in the event of data loss or system failures.
Disaster recovery plans and procedures to minimize downtime and restore operations in the event of major disruptions.
Communication and Collaboration Tools: Email servers, instant messaging platforms, and video conferencing solutions for internal communication and collaboration among team members.
Customer relationship management (CRM) systems for managing client interactions, inquiries, and support tickets.
Documentation
We were able to document the scope at a high level in the information security context, requirements, and scope document. You can find that here. Today I will share a sample of the statement of applicability document. The areas that are within our scope are such as network security, physical security, identity and access management, and many more, let’s look at a few examples.
Conclusion
With all areas within the scope of the ISMS to be developed, implemented, and monitored now, we can move forward in our ISO 27001 certification journey for DevEngineers.
I hope you have found value in today’s article, consider subscribing and following me on my socials. If you have any questions, I am only a DM away.
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
- Twitter: https://twitter.com/m49D4ch3lly
- Facebook: https://www.facebook.com/m49d4ch3ly
- GitHub: https://github.com/UFarouk10
- Gmail: Umarfarouk037@gmail.com
