Question on ISMS scope definition
Thanks so much for the webinar. We were finalizing our scope and our management wanted us to consider a smaller scope. Can you just remind me on a couple of points you made in the webinar?
1 - The scope cannot be a server or a product, because it is a management standard right? Does this then mean that it can’t be an environment, like a cloud environment? Would you set the scope as the software engineering department for example instead?
2 - And you mentioned the scope cannot be drawn between people who share the same office? Does this mean they would also need to be segregated in terms of network or email environment?
I’d really appreciate your opinion as I think the delivery time will be quite different if we chose the smaller scope rather than the whole company, although maybe more detailed in segregating them.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - The scope cannot be a server or a product, because it is a management standard right? Does this then mean that it can’t be an environment, like a cloud environment? Would you set the scope as the software engineering department for example instead?
Your assumption is correct. The ISMS scope cannot be defined in terms of products, assets, or technologies. It needs to be defined in terms of information, location or processes to be protected, so the definition of the scope as a software engineering department is more appropriated.
This article will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
2 - And you mentioned the scope cannot be drawn between people who share the same office? Does this mean they would also need to be segregated in terms of network or email environment?
I’d really appreciate your opinion as I think the delivery time will be quite different if we chose the smaller scope rather than the whole company, although maybe more detailed in segregating them.
Please note that, for small environments, it is better to define all its elements as the ISMS scope because the effort and costs to segregate them may not be worthy, compared to managing all elements as part of the ISMS scope.
This article will provide you a further explanation about scope definition:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Comment as guest or Sign in
Mar 03, 2021