Is it possible to restrict the scope of the ISMS to just one department or business unit, at least initially?
Restricting the scope of the ISMS may reduce some of the effort and costs involved in the implementation but also reduces the realisable benefits, hence the net business value of the ISMS may well be lower. It is not necessarily such an easy option as it might at first appear, as your supplementary question implies. The scope boundary can be a problem since, by definition, everything outside the scope is inherently less trustworthy than that within. Information security risks within scope of the ISMS (i.e. risks directly affecting the in-scope area) are assessed and treated, and this includes risks affecting the information flows going into or out of the scoped area.
Related Questions
- Define ISMS scope - what businesses, business units, departments and/or systems are going to be covered by your Information Security Management System?
- Can the scope of business shown on the business registration certificate restrict expansion of other business of the company?
- What university department processes business contracts?
