I need some tips in expanding the ISO 27001:2013 scope. We are certified but would like to extend the scope to include another entity of our firm. Could you please assist I’m sharing some tips of dos and donts to consider. Also, do I have to do the security metrics and risk treatment again?
To extend the ISMS scope you have to perform all the steps as if you were implementing the ISMS for the first time, in an scale equivalent to the size of this extension.
While you will have less effort related to common requirements such as document and record control, internal audit and management review, the effort for the risk assessment and treatment will depend on how similar this extension is to the current scope. If they are similar you may use existent controls and security metrics with only minor adjustments.