Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu
Home Blog Three Mistakes to Avoid when Defining your ISO 27001 Scope

Three Mistakes to Avoid when Defining your ISO 27001 Scope

 

One of the first things you’ll need to do when implementing ISO 27001 for an Information Security Management System (ISMS) is to define the scope. This can cause confusion and we’re often asked questions about the dos and don’ts of defining the ISO 27001 scope.  So, to ensure you’re on the right track, we’ve put together three common mistakes to avoid.

#1 – Assuming you need to cover everything

The first mistake is to assume that you must cover all aspects of your business in your scope. For a small organisation that may make sense, and certainly for simplification of your ISMS then it may be the best thing to do. However, if you have a particular purpose, or you’re a medium to large organisation, it may make sense to reduce the scope from everything to a set of specific areas and you need to be able to define those.

It could be that your reasons for going for certification to ISO 27001 revolve around proving that a particular service or location is secure and hence you want certification for that part only. This can speed up the process of certification because it means that you’re not having to cover quite as much. So there are definite advantages in defining the scope in a specific way to achieve the objectives that you’re trying to meet as part of certification.

#2 – Not defining your scope clearly

The second mistake is to not define your scope clearly enough. You need to be able to say which systems, which locations and which people are included in your scope so that they know exactly what they need to be doing, and you can identify any dependencies and any areas of greyness around where there is “scope bleed”.

You need to be able to say definitively what is included. This may be a problem; sometimes this is an issue in terms of explaining exactly what the scope consists of but whatever the makeup of your infrastructure and your locations and the other areas of your organisation, you need to be able to say exactly what is in, and what’s not.

#3 – Not communicating your scope well enough

The third mistake is to not communicate the scope that you’ve decided upon adequately, both internally and externally. Internally with the people who are affected within the organisation by the scope and need to be on board with the ISMS. Externally with suppliers and also with your certification body because the scope will be outlined on your certificate. You need to be able to clearly define this and to tell them as early as possible to get the certification body’s ok that the scope is reasonable, and that there aren’t further areas that will need to be included from their point of view. Communication is key, early communication particularly with the certification body, is very important.

So, these are our three common mistakes to avoid when defining your ISO 27001 scope. Getting the scope right in the beginning is key to a successful ISMS implementation, so taking the time to clearly define and communicate it can save unnecessary confusion in the future.  For more information on scope, our blog post ISO27001 Scope – What is it and how to define it correctly (and usefully) provides additional guidance.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

 

More ISO27001 resources

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 4000 businesses with their compliance

Testimonials

The kit did 90% of the work for me.

Medix
Israel

View all Testimonials

Cookie Control

CertiKit uses cookies to improve your user experience. Some are essential for our website to work, but for others you have a choice over which ones you’re happy for us to use.

Please set the controls below to enable or disable the types of cookies shown.

Nice to have cookies
What are these?

Advertising Cookies
What are these?

Cookie Policy