Scope definition
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
This has been discussed during our Management meeting and our main trigger is sales related. Most of our customers and prospects strongly request ISO27001 certification, especially since 1 year.
One thing we are all convinced is that we would like to attain this, but we still have open points about scope. The main reason is that we are part of a multinational environment and a lot is changing currently. Our IT has centralized since last year. So no local impact on decisions.
And our backoffice activities will now also get more centralized. From an ISO certification point of view we see a lot of (possible) impact.
So maybe you could assist me already with 1 important question. Do we need to go for an ISO27001 certification for the entire organization ?
Or would a certification for a specific part be enough. For example. We mainly require this in environments where we deliver the IT ser vices.
Would it be possible to get a short reply about pro’s and con’s ? Or maybe a reason not to do this for only a part of the organization ?
I’m responsible for 2 countries. 1 has already ISO9001, the other doesn’t.
Answer: ISO 27001 does not require the entire organization to be in the scope for the certification, so you can define the scope that will better suit your organization needs.
For small and mid-size organizations (up to 500 employees) often it is better to include all the organization in the scope, because the effort to keep only part of the organization in the scope is not worthy. For bigger organizations defining a smaller scope may be better to reduce the costs and effort to what really matters for business objectives.
If your organization is smaller than 50 employees you should go for the whole scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding scope definition:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jun 02, 2018