Hi Dejan and Rhand, thank you so much for always being there to answer our queries. Hopefully, other readers can also benefit from these questions. I have recently got the company I work for to re-certify for ISO27001. Our scope is only for the UK office.
However, when I did the works I ensured that everyone in the business were involved for example Security awareness training. We are increasingly getting request from clients who are asking us “whether you have plans to extend the IS027001 to include every office around the globe. In order to increase the scope what would be the basic process needed. Any inputs would be much appreciated. I also have the Secure and Simple book written by Dejan are there any particular chapter in there that may give me further guidance.
To extend the ISMS scope you have to perform all the steps as if you were implementing the ISMS for the first time, on a scale equivalent to the size of this extension.
While you will have less effort related to common requirements such as document and record control, internal audit and management review, the effort for the risk assessment and treatment will depend on how similar this extension is to the current scope. If they are similar you may use existent controls and security metrics with only minor adjustments.
In the Secure and Simple book, you should take a look at chapter 5 - FIRST STEPS IN THE PROJECT, which explains how to develop the ISMS scope.
These articles will provide you a further explanation about implementing ISO 27001 (the concepts are the same for scope extension):