Guest user Created: Dec 02, 2017 Last commented: Dec 02, 2017

Scope Definition

In terms of reducing/isolating scope of ISO 27001 certification. If our business has a core offering with additional “add-on” offerings/services, is it possible to reduce/isolate the scope and be ISO 27001 certified with just the core offerings or would we need to be looked at and be audited for ALL company offerings as a whole? For example: One offering is to help marketing our client’s services and the “add-on” service is to host an LMS (Learning Management System).

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Dec 02, 2017

Answer: You can limit your ISMS scope to your business core offering without problems, but for small and medium-size organizations sometimes is better to include all the organization in the ISMS scope, because the effort to manage a scope that covers only part of the organization is not worthy.

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/pro blems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Dec 02, 2017

Expert Advice Community