Lesson 1, Topic 1
In Progress

Capture context & define scope of application

It is one of the most important steps to inform employees, management and other relevant people about why an ISMS is important and share information about what benefits, tasks, etc. has an ISMS.

If there has been sufficient coordination with the management, you can move forward with the structures. Therefore the following things are essential:

  • Obtain support from top management
  • Define responsibilities
  • Delegate authority
  • Assign organizational roles

You can also organize the appointment of the Information Security Officer (ISO/ISB) in this process. A suitable document template is available in the toolkit entitled “Appointment Information Security Officer“.

To know what values according to the three objectives: Confidentiality, integrity and availability, a list of all relevant assets (values) is required. For this purpose, we offer you the table template “Inventory of Assets“. There are already examples included which give you an idea of how such a thing should be structured. The listing supports the highlighting of the existing assets in the company and what protection needs (high, medium and low) they have.

The next step is to capture the context and define the scope. The following questions arise, such as are only some locations affected, are only some departments affected or are there customer requirements, laws, etc. which have to be considered? The document template “Identifcation of requirements” helps them to do this.

Tip: In most cases, the exclusion of sites does not result in great savings, so it should be carefully considered whether certification for all sites would be more efficient.