Assign topic to the user
There might be a serious problem with this reduced scope for the ISMS. Due to the need for connexion with the two other sites, the reduced ISMS scope might be not feasible. This decision should be reviewed and justified.
You may consider the two other sites as external, but the complexity is in the close interactions in/out/in-out that is continuous or at least continual. When describing the scope, you should also clearly describe what is in and what is out.
When there are connections with other entities (be they from the same company or external) you should identify and describe the interfaces with the associated risks of information coming in and going out. Identifying the communic ation channels and the associated risks is also important, depending on the responsibility for protection the ISMS scope has. In your case, you have to use both directions.
In any case, it is easier to have all the 4 locations within the scope.
This post on the blog can also help you: Problems with defining the scope in ISO 27001:
https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Comment as guest or Sign in
Jan 12, 2016