Governance, Risk Management and Compliance
|
Information Security
|
ISO 27001
BLOGS

How do you Identify and Then Manage Your ISMS Scope?

|
|
|
PUBLISHED on
27
July
2022
Table of contents

When you are looking at the processes associated with managing the security of your organisation’s information assets, there are a number of occasions where you will need to consider the scope of what you are doing.  But firstly, we need to answer a basic question.

What is scope?

Scope is simply a description of what is included within the processes you are conducting and what is excluded i.e., what is included within your approach to information security? Within this description, it is important to consider all the different characteristics of your organisation.  For example, it is  likely you need to consider most, if not all, of the following when considering your scope:

  • Processes
  • Technology
  • Departments
  • Physical locations
  • People
  • Services
  • Third parties

You should think of each of the above in terms of their boundaries.  So, your scope description should include an understanding of what is included within the boundary, along with a stated justification for its inclusion and, specifically, what is excluded or held outside the boundary if appropriate.

For example, if you state under physical locations, ‘all physical locations are included’, then there would be no need to state the exclusions as there aren’t any.

It is particularly important to state a justification for something being excluded from scope so that anyone reading the report understands the reason for the exclusion.

So, where does scope need to be considered?  The first is a big picture view.  You need to consider the scope of your information security efforts.

Is it everything that the whole business would benefit from, or does it need to be broken down into smaller component parts?

For example, you might want to ensure that information security is well managed in the departments where personal and customer information are handled and maybe exclude areas where there is no sensitive information.  Or you might want to only concentrate on those business processes that generate significant revenue.

Other areas to consider in terms of scope include your risk management programme and your internal audit programme.  These too have a big picture and a more focused element.

The big picture scope needs to take into consideration all the areas of the business that need to be risk assessed and audited over the duration of your programme, which may cover a three to five-year period.  Whereas, the more focused scope considerations come into play when you are planning individual risk assessments or audits.

Do bear in mind that a sensible, achievable scope should be a starting point.  You may look to extend your big picture scope over time.

So, if ISO 27001 certification is your goal, start with a sensible, meaningful and achievable scope, then look to expand the scope as your approach matures.

Read more
Read more
Read more

Are you looking to implement ISO 27001? Or certify against the Standard?

URM offers a host of consultancy services to assist you implement and maintain ISO 27001, including gap analyses, risk assessments, policy development, auditing and training.
Recent blogs
Understanding Lexcel and the Specialist Quality Mark (SQM): How Cyber Essentials Can Benefit Your Practice
Business Continuity Exercising
ISO 9001:2015 Clause 8.3: Design and Development
ISO 27001:2022 - A.5 Organisational Controls (Legal, Regulatory and Contractual)
ISO 27001:2022 - A.5 Organisational Controls (Information Security Management)
How URM can help?
Consultancy
Are you planning your ISO 27001 audit programme?

Contact our experts and find out what you will need to carry out in order to have an effective ISO 27001 auditing function and programme

Read more
Consultancy
All you need to meet SOC 2 requirements

If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.

Read more
Consultancy
Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification

Read more
URM is renowned for helping organisations to achieve the optimum balance when implementing an ISMS.
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
9/5/2024
Common Pitfalls Identified in Organisations Seeking ISO 27001 Certification

URM’s blog discusses the common pitfalls of the ISO 27001 implementation and certification process, and how you can avoid making the same mistakes.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
25/5/2022
Benefits of Implementing ISO 27001

What are the Benefits of Implementing ISO 27001? We dig a bit deeper on the benefits that are gained from implementing the standard.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?

The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.

Read more
"
Leanr more about
URM Services
Complicated topic summarised really simply making GDPR accessible. I would love a recording as was distracted part way through and would like to re-enforce my knowledge by listening again (possibly a couple of times just to get it to sink in......)
Alec S.
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.