I have implemented ISO 27001 in IT dept. as scope and I have successfully implemented and got certified.Now I need to increase my scope to other departments. I need to know how can I do it ? How I will go the gap assessment ? What are the controls that I should do the gap assessment as most of the information processing systems lie within the IT dept.
What information I have to protect as the information within other dept. will be confined to paper assets. Please advise me what approach should I take to extend my scope.
You must approach a scope extension as if it was a new implementation project (the steps are basically the same). The difference is that as a scope extension you have to assess how this inclusion will affect your current scope. For example, how you will handle access of the personnel of the new part of the scope to the current one? Access levels will be the same or will have to be updated? Since this new scope will include paper assets, how this will affect you information classification policy?