105 lines
4.2 KiB
Markdown
105 lines
4.2 KiB
Markdown
Title: ISMS Scope Statement
|
|
Document ID: [GOV-ISMS-SCOPE-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CEO (Paul Hague)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# ISMS Scope Statement
|
|
|
|
## Purpose
|
|
|
|
This document defines the intended scope of BlackDice's Information Security Management System (ISMS). It provides the working boundary for risk management, control selection, governance, and assurance activity.
|
|
|
|
## Scope
|
|
|
|
The ISMS is intended to cover the people, processes, information, and technology used to design, build, operate, support, and assure BlackDice services within the approved organisational boundary.
|
|
|
|
The scope is expected to include, where applicable:
|
|
|
|
- cloud-native SaaS service delivery activities
|
|
- containerised and Kubernetes-based workloads
|
|
- software engineering, code review, build, release, and CI/CD activities
|
|
- security telemetry processing, monitoring, and operational support
|
|
- supplier-supported services and third-party dependencies relevant to service delivery
|
|
- customer assurance, information handling, and security governance activities
|
|
|
|
## In-Scope Organisational Activities
|
|
|
|
The following activity groups should be treated as in scope unless explicitly excluded by approved scope decisions:
|
|
|
|
- product and platform engineering
|
|
- production operations and service support
|
|
- security operations and incident handling
|
|
- corporate functions handling in-scope information assets
|
|
- supplier management for material service providers
|
|
- internal governance, audit, and management review activities
|
|
|
|
## In-Scope Assets and Information
|
|
|
|
In-scope assets are expected to include:
|
|
|
|
- information used to operate, secure, or support BlackDice services
|
|
- source code, build artefacts, and deployment configurations
|
|
- cloud infrastructure, Kubernetes clusters, and supporting management planes
|
|
- endpoints and collaboration systems used to access in-scope information
|
|
- records generated by the ISMS, including risk, incident, exception, and audit records
|
|
|
|
## Interested Parties and Interfaces
|
|
|
|
The ISMS should take account of the needs and expectations of relevant interested parties, including:
|
|
|
|
- BlackDice personnel and contractors
|
|
- customers and prospective customers
|
|
- key suppliers and service providers
|
|
- regulators and supervisory bodies where applicable
|
|
- external auditors and assurance reviewers
|
|
|
|
Interfaces with customer-managed or operator-hosted environments must be defined during tailoring so that control responsibilities are clear for SaaS and operator-hosted deployment patterns.
|
|
|
|
## Scope Boundaries and Exclusions
|
|
|
|
Any exclusions from scope must be explicitly documented, justified, reviewed for risk impact, and approved by [Approval Authority]. Exclusions must not undermine the ability of the ISMS to address material information security risks associated with BlackDice's operating model.
|
|
|
|
Current exclusions:
|
|
|
|
- [No exclusions confirmed]
|
|
|
|
## Assumptions and Constraints
|
|
|
|
- Legal, contractual, and regulatory obligations remain subject to confirmation and ongoing review.
|
|
- Roles, system names, and ownership assignments will be completed during tailoring.
|
|
- Shared-responsibility boundaries with customers and suppliers may vary by service model and must be documented where relevant.
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- The ISMS owner must maintain this scope statement.
|
|
- Process and system owners must identify assets and activities that fall within the approved scope.
|
|
- Management must review proposed scope changes where business, technology, or supplier arrangements materially change.
|
|
|
|
## Monitoring and Review
|
|
|
|
This scope statement should be reviewed at least annually and when significant changes occur, including:
|
|
|
|
- new products or service lines
|
|
- material changes to hosting or deployment models
|
|
- mergers, acquisitions, or organisational restructuring
|
|
- major supplier changes
|
|
- significant regulatory or contractual changes
|
|
|
|
## Related Documents
|
|
|
|
- Information Security Policy
|
|
- ISMS Manual
|
|
- Risk Assessment and Treatment Methodology
|
|
- Statement of Applicability Template
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|