Guest user Created: Apr 12, 2017 Last commented: Apr 12, 2017

Scope definition

In your blog describing problems with defining the scope in ISO 27001, there is a discussion about problems related to narrowing the scope to part of the organization, as opposed to the whole organization. It is not clear to me whether there would be problems in the situation where the whole organization is included, but only a specific type of information (e.g. only health information) is included in the scope. Do you predict problems with narrowing the scope based on the type of information?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Apr 12, 2017

Answer: Yes, you may have problems with this approach. Information needs change more dynamically than other common aspects used for scope definition (business units, processes and business locations), and you may ending up with more administrative effort to manage this kind of scope.

Besides that, you also may have processes working with both information that are inside and outside the scope, and this requires more effort than simply considering all the information included in the scope.

These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Apr 12, 2017

Expert Advice Community