How does one go about confining a registrar during the audit to the scope that has been defined? Ive experienced an auditor who seems to be attempting to expand ISMS scope beyond the internally agreed upon scope. We are limiting scope of the ISMS to the ***; nothing more nothing less.
I realize the ISMS can be a system that covers more than just security operations, but for initial purposes the *** and ISMS are defined as one and the same. The definition will change over time as scope increases. Just curious.
Just because you have defined a certain ISMS scope does not mean such scope is feasible - for example, if there are no clear boundaries for such a scope, then you would have to expand the scope.
Therefore, if your scope is not feasible you should listen to the certification auditor; if your scope is feasible then you have to prove to certification auditor why do you think so. Generally, the recommendation is that the information security should cover the entire organization.