ISO 27001 certification

Answer: First of all, ISO 27001 cannot be used to certify products. This standard can be used to certify an organization's Information Security Management Systems, regarding processes, organizations units and locations.

That said, yes, you can have a limited scope, defining your Information Security Management System in terms of the software development process used to deliver the product, as means to ensure to your customers that the required information security measures are identified, included and maintained in the software. But you should also note that limiting the scope doesn't make sense for smaller companies, since it will require greater effort than managing the security considering the whole organization.

This article will provide you further explanation about ISMS scope:

- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding ISMS scope:

- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Thanks very much rhandleal.