Choosing the scope of your certification is one of the most important decisions you will make when implementing an ISO management system. If you choose carefully, your certification will be meaningful to your customers and other stakeholders and won’t take forever to implement. A less wise choice on the other hand can send you spiralling off into a never-ending nightmare project that delivers little and too late.
The scope statement is the one that appears on your certification certificate and usually includes a definition of which processes, goods, services, locations and organizational units the management system covers.
Perhaps the first question to ask when considering your scope is “why are we doing this?”. Some common answers to this question are:
Your answer will help to determine what you need to include and what you could leave out; usually the more you include the longer it will take to implement and then to run once you’re certified. However, if you’re a relatively small organization the benefits of keeping it simple and including everything can outweigh the downsides, so think carefully.
If you’re doing this to prove something to your existing or prospective customers, then it would make sense to include those aspects of your business that your customers care about e.g. your major service offering or products. They may be less concerned about your internal functions such as HR function or Finance (although these are obviously important too). A contract that states certification as a requirement or a management diktat from above will also be helpful in deciding the minimum scope you need to adopt, assuming it gives enough detail.
Where there’s a general desire to improve it may be more difficult to define the most appropriate scope but don’t forget that you can start small and then grow it over the next few years as your management system matures. For example, one of the first ISO/IEC 27001 implementation projects the author was involved in was at a local government organization and defined as its initial scope The IT, HR and Benefits departments as these were felt to be the areas that held the most sensitive information. Other departments such as Finance and Procurement were added later, once certification had been gained.
But one of the questions often asked is “Can we become certified if we use external services such as cloud or outsourcing?”. Generally, the answer to this is yes but it does depend on the degree of control you maintain over the externally provided services. Certainly for the ISO/IEC 27001 information security and ISO22301 business continuity standards there are many certified organizations that make extensive use of the cloud (see our previous blog article). For the ISO/IEC 20000 IT service management standard there is a whole section (4.2 – Governance of processes operated by other parties) that defines what you must be doing in order to show that, although someone else does it for you, the process is still under your management control; satisfy these requirements and you can include these areas in your scope.
Be aware that you really need to be a single organization for certification purposes, so trying to include your suppliers in the scope isn’t going to work. If you’re considering certification to ISO/IEC 20000 (IT service management) it’s worth consulting Part 3 of the standard which is all about scope and applicability and includes some useful examples of scenarios in which certification is or isn’t possible.
Once you have a first draft, the next thing to do is to run it past your RCB (Registered Certification Body – see our blog article for how to choose one) and they will tell you whether they will be happy to audit you against that definition of scope. They may ask for the odd tweak and could request some justification for those areas you have decided to leave out.
In summary, it’s important to consider your scope as early on as possible as it will make a big difference to the activities you undertake during your implementation, so think carefully and don’t be afraid to get a few opinions from stakeholders before making your decision.