Determining scope
once the organizations context has been documented how we would use the information to determine the scope. How do I facilitate in such a way that get them thinking about our products and associated processes/activities in a way that exposes the BC risks.
Assign topic to the user
First is important to note that ISO 22301 does not require organizational context to be documented, only to be determined.
Considering that, you can use the organizational context as criteria to see if the proposed BCMS scope is enough for your business. For example, if an external issue is a law or regulation, you need to verify if your proposed scope is enough to fulfill it, or if it does not violate it in some manner. The same is applied for an internal issue like a core activity or a process (is it covered by the proposed scope or not).
As a way to get people thinking about organizational context when evaluating their own products and processes, you should consider developing a short customized presentation, linking internal and external issues to specific products and processes, and questions on how these issues can affect their products and processes.
These articles will provide you a further explanation about scope definition (although they are about ISO 27001, the same concept applies to ISO 22301:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
This material will also help you regarding Scope definition:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
Comment as guest or Sign in
Jan 21, 2021