Some or all of our ISMS activities are provided by our corporate IT services. Should these activities be considered as IS.OR.235 activities, given that they are outside the approved/declared organisational structure?
Some or all of our ISMS activities are provided by our corporate IT services. Should these activities be considered as IS.OR.235 activities, given that they are outside the approved/declared organisational structure?
Answer
Yes, and the reason for this is twofold. Firstly, by doing so, the organisation can ensure that the risks associated with these activities are managed appropriately in line with the risk management process. Secondly, the organisation must ensure that the necessary arrangements are in place to enable the CA to oversee the IS service provider.
The risks stemming from the interfaces and the criticality of the provided services should be considered, assessed and documented during the risk management process.
Last updated
15/06/2026