The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

Problems with defining the scope in ISO 27001

You probably knew that the first step in ISO 27001 implementation is defining the scope. What you probably didn’t know is that this step, although simple at first glance, can sometimes cause you quite a lot of trouble. Namely, a lot of companies are trying to decrease their implementation costs by narrowing the scope, but they often find themselves in a situation where such a scope gives them a headache.

So, where is the problem?

The problem when the ISO 27001 scope is not the whole organization is that the Information Security Management System (ISMS) must have interfaces to the “outside” world – in that context, the outside world are not only the clients, partners, suppliers etc., but also the organization’s departments that are not within the scope. It may seem funny, but a department which is not within the scope should be treated in the same way as an external supplier.

Problems with defining the scope in ISO 27001

For instance, if you choose that only your IT department is within your scope, and this department is using the services of the purchasing department, the IT department should perform risk assessment of your purchasing department to identify if there are any risks for the information for which the IT department is responsible; moreover, those two departments should sign terms and conditions for the services provided.

Why is such an overhead necessary? You have to put yourself in the certification body’s shoes – it must certify that within your scope you are able to handle the information in a secure way, while it cannot check any of your departments outside the scope. The only way to handle such a situation is to treat such departments as if they were external companies. (Please note: certification auditors never like a narrow scope.)

This is not where the trouble stops. Sometimes, a narrow scope is simply not possible, because there is no interface with the outside world. For instance, if employees from both within the scope and outside the scope are sitting in the same room, such a scope is hardly feasible; if both the employees within and outside the scope use the same local network (with no segregation) and have the access to various network services, such a scope is definitely not possible – there is no way you would be able to control the information flow only inside the scope.

The point here is – narrowing your ISMS scope is sometimes impossible, and in most cases it will bring you unnecessary overhead. Therefore, what initially didn’t seem like a good solution, might be the optimal one after all – try to extend your scope to the whole organization. The rule of the thumb is: if your organization has no more than a few hundred employees, and one or just a few locations, the best thing would be for the ISMS to cover the whole organization.

On the other hand, if you really cannot cover the whole organization with your ISMS scope, try to set it in an organizational unit which is sufficiently independent; try to solve the relationships with other organizational units outside the scope by determining their service through internal documents (policies, procedures etc.) that would serve as “agreements” – in such a way you could document those organizational unit’s obligations in a manner that is usable in daily operations.

There you go – you have solved the first step in your ISO 27001 implementation.

Learn more about defining the ISMS scope in this free online training ISO 27001 Foundations Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

5 responses to “Problems with defining the scope in ISO 27001”

  1. Dev says:

    I appreciate what is being said here but often staff take on multiple roles and information flow across these roles are very difficult to manage. This often the case where the same service is provided to different clients.

    In such a case should there be one scope per client or one scope simple for the service?

  2. Epp says:

    Dear Mr. Dejan Kosutic,

    Thank you very much for the explanation. It really helps us, but we have some problems about the scope.
    Actually my organization want to go for ISO 27001:2013, but only for specific business only.

    Our organization is a small IT company and we have about 60 employees.
    Our main business are :
    1. Software Development for our client, and
    2. Data Center services

    We want to go for ISO 27001:2013 but mainly for the Data Center services only right now (because of limited time and resource). The problems is both the of the main business in the same building, but different floor.
    Can we exclude the Software Development business on the scope and go for the Data Center Services only?

    Thank you very much

    • Rhand Leal says:

      In theory you can exclude the Software Development business from the scope, but for an organization of such size maybe this approach won’t worth the effort.

      Even with the Software Development business out of the scope, you will still have to map its relationship with the data center services, the risks involved and how do you protect the information of those processes, like it was an external customer.

      For example, if your data center provides development and test environments for the Software Development, which risks are involved, and how you treat them? So, in my understanding, considering the whole business in the scope would be the best approach.

      • Epp says:

        Thank you for the answer Mr. Rhand.

        We are still evaluating our decision right now. Your explanation really help our stituation. but our Board of Director still insist to have the data center services certified first

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.