SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Context and scope of the ISMS / ISO 27001 v 2013

Guest

Context and scope of the ISMS / ISO 27001 v 2013

ISO 27001 & 22301
  Quote
Guest
Guest post Created:   Jan 12, 2016 Last commented:   Jan 24, 2022

Context and scope of the ISMS / ISO 27001 v 2013

ISO 27001 & 22301
Hi everyone , I'm preparing the migration from v 2005 to v 2013 and I'm a bit lost on what should I put in the context and scope document . Shall I leave the old scope and add what is needed in 4.3 ? Also I couldn't realy what is needed in the 4.3 (4.2 and 4.1) . Many Thanks,
0 0

Assign topic to the user

ISO 27001 & ISO 22301 PREMIUM DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 & ISO 22301 PREMIUM DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Guest
Guest post Jan 12, 2016

Hi Afef

ISO 27001:2005 (Clause 4.2.1.a) clearly describes the scope. If you keep it it’s good.
ISO 27001:2013 looks differently at the issue and adds to it.
Clause 4.3 (new) is the same as Clause 4.2.1 a (old) and adds 4.1 and 4.2.
So, as you proposes, keep old ‘scope’ and add to it.

There is however in ISO 27001 no explanation n what it means, except the reference to ISO 31000:2009 clause 5.3.

Short explanation:
4.1 Requires you to continually analyse the context (social, cultural, political, legal, financial, technological and ‘market’) of your organisation to make sure you take all elements in consideration to ‘tailor’ your scope to your real ‘macro’ needs.
4.2 Requires you to understand and integrate the (security) expectations of the ‘parties’ that may be 1) Internal: regulators, stakeholders, suppliers, partners, clients and 2) internal: asset owners, CIO and IT department, decision makers, users, etc.

These posts on the blog can also help you

"Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
"Problems with defining the scope in ISO 27001”: https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
“How to identify interested parties according to ISO 27001 and ISO 22301”: https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
“Risk owners vs. asset owners in ISO 27001:2013”: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

Quote
0 0
Guest
widaluniofFT Jan 17, 2022

It has to determine its needs and expectations and those of interested parties and decide the scope of the ISMS.

Quote
0 0
Guest
atollluniofIB Jan 24, 2022

So we would suggest you avoid the risk analysis or any deep consideration of what if at this stage and concentrate on identifying the issues. Personal data, sensitive customer ideas and IPR, financial information, brand, codebases etc? Therefore consider any existing issues of: recruitment e.g.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 24, 2022

Suggested Topics
Guest user Created:   May 30, 2022 ISO 27001 & 22301
Replies: 1
0 0

Establishment of the scope of the ISMS ISO 27001:2013
Guest user Created:   Oct 07, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 single templates
Guest user Created:   Oct 07, 2022 ISO 27001 & 22301
Replies: 1
0 0

Documentation request