How to determine the scope of your ISO 27001 certification

Tom Martin-Ball, ISOQAR’s Information Security Sector Manager, considers how far an Information Security Management System should extend in your organisation - and why this decision is so critical to your business.

3rd Aug 2018

One of the first and most important things you will have to do when thinking about implementing ISO 27001 is identify the ‘scope’ of your Information Security Management System (ISMS).
 
The scope defines how far the system will extend within your organisation. It also states what will not be included and why it is not included.
 
Tendering for Contracts
It’s vitally important to get this right because if you’re submitting a tender, you need to ensure that the scope covers those areas of your business that are relevant to the contract.   
 
On the other hand, you don’t want to set the scope too wide. If you do, then you are creating unnecessary work for yourself - and expense for your business. Maintaining an Information Security Management System is a lot of work and a wider scope will require more of your time. It also means that it will take longer to audit. So, whilst your certification body will be more than happy to sell you additional audit days, it’s expense that you could well do without.
 
Think about it. If most of your staff don’t work with critical information, why would they need to be covered by a full-blown ISMS? The answer is: they don’t.
 
Your scope only needs to be as wide as necessary.
 
Keep Costs to a Minimum
We had an example at Alcumus ISOQAR where an organisation came to us for a quote for ISO 27001 certification. We asked a range of questions, as we are obliged to do by UKAS, to calculate how much time we would need to audit the system. When we asked how many staff they had, the answer was 15,000. This would have meant 30 audit days. Great business for us!
 
But when we dug deeper and asked what those 15,000 people did, it became clear that most were labourers with no access to any sensitive data or information. So, information security was not really a challenge for them on the scale that we might have first thought. The only staff who encountered sensitive information were the 30 or so who worked in the billing department. So why not “ring-fence” the scope to these people?
 
The realisation that they could save a small fortune was welcome news indeed to our now happy client!
 
Things to Consider in the Scope of ISO 27001
 
Obviously it’s a little more involved than the above implies - but you get the idea. The extent of the system may not be as daunting as you originally feared, and you may therefore be pleasantly surprised at the cost of implementation and certification.
 
To add a little more flesh to the bones, here are the factors that any organisation thinking about ISO 27001 needs to consider the following when establishing the scope:
 
  • the roles of the staff
  • the sensitivity of the information they handle
  • any legal requirements
  • expectations of clients and interested parties
 
To finally establish the scope for your own needs, you should take advice from your Certification Body.
 
Please get in touch with us if you’d like to talk this through.