Guest user Created: Oct 23, 2016 Last commented: Oct 23, 2016

Excluding certain departments from the ISMS scope

Is it possible for me to exclude certain departments within my company ( let's say HR for example ) from the ISMS Scope and still be eligible for the ISO 27001 certificate?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Oct 23, 2016

Answer: Yes, ISO 27001 allows you to set the scope of your ISMS for only one part of your organization. However, this is not recommendable for smaller organizations (smaller than 100 employees) - this is because all parts of your organization that will be outside of the scope will be treated as an "outside world" which means you will need to protect the information within the ISMS scope from those departments which are outside of the scope.

This problem is described in detail in this article: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

For a larger organization, it is quite normal to go with a smaller scope, because the project is going to be quicker and cheaper .

Read also: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Oct 23, 2016

Expert Advice Community