Cost Effective Solution
SCOPE
1. you need to identify the location where information is
stored. This includes physical and digital files, the latter of
which might be kept locally or in the cloud.
2. you need to identify the organizational units or
departments where you want to implement the SIMS
3. You may want to include only some processes and
services within those organizational units.
4. you have to specify which assets, networks and
infrastructure are included in the ISMS,
5. you need to determine what is out of scope or the
boundaries. These are elements that your organization
Weather has no control over, such as third party products
or do not need to secure
6. When you have determined the scope, you will need to
document it usually in a few statements or paragraphs.
This document has a validity duration and an owner that
should be defined.
one location, which is the second floor of the company's headquarter. In this floor, there is only one
organizational unit, the finance department we are interested in, including only two processes and services,
contract management and accounting service.
All IT systems and networks used in back in finance business are included in the scope.
In the second floor, there is a cafeteria for finance department employees. It will be excluded from the scope.
This policy is valid for one year and should be reviewed by the chief information security officer, who is also
the owner and responsible of this policy

we are a domestic bank, with a focus on retail banking. Here we describe our business sector. In other words,
what we do to make money. The storage and processing of sensitive customer data is part of our core business.
Here we define what is our main asset, the customer data that is part of the business.
It is therefore our duty to protect our clients data and our information assets in relation to confidentiality,
integrity and availability.
We define what aspects of data and information are protected here.The confidentiality, integrity and
availability.
The ISMS applies to the entire organization, our employees as well as contractors here.We state that the scope
applies to the whole organization.

Kebijakan ini harus mencakup tujuan organisasi mengenai keamanan informasi. Ini harus dengan jelas
menunjukkan komitmen manajemen untuk memenuhi persyaratan keamanan dan untuk terus-menerus
meningkatkan ISMS. Kebijakan ini merupakan kebijakan tingkat atas dan bukan kebijakan yang rinci. Detail
tentang kontrol dan aturan keamanan informasi harus dijelaskan di tingkat bawah lainnya kebijakan dan
prosedur. Kebijakan harus dikomunikasikan dalam organisasi dan bertanggung jawab atas komunikasi tersebut
harus ditunjuk