{"id":4809,"date":"2010-06-29T20:08:35","date_gmt":"2010-06-29T20:08:35","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/010\/06\/29\/problems-with-defining-the-scope-in-iso-27001\/"},"modified":"2025-07-08T14:16:33","modified_gmt":"2025-07-08T14:16:33","slug":"problems-with-defining-the-scope-in-iso-27001","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2010\/06\/29\/problems-with-defining-the-scope-in-iso-27001\/","title":{"rendered":"Problems with defining the scope in ISO 27001"},"content":{"rendered":"<p>You probably knew that the first step in <a href=\"https:\/\/advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> implementation is defining the <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=isms-scope-document\" target=\"_blank\" rel=\"noopener\">scope<\/a>. What you probably didn\u2019t know is that this step, although simple at first glance, can sometimes cause you quite a lot of trouble. Namely, a lot of companies are trying to decrease their implementation costs by narrowing the scope, but they often find themselves in a situation where such a scope gives them a headache.<br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><\/p>\n<p>So, where is the problem?<\/p>\n<p>The problem when the ISO 27001 scope is not the whole organization is that the Information Security Management System (ISMS) must have interfaces to the \u201coutside\u201d world \u2013 in that context, the outside world are not only the clients, partners, suppliers etc., but also the organization\u2019s departments that are not within the scope. It may seem funny, but a department which is not within the scope should be treated in the same way as an external supplier.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-22508\" src=\"\/wp-content\/uploads\/\/sites\/5\/2010\/06\/problems-scope-27001-article.jpg\" alt=\"Problems with defining the scope in ISO 27001\" width=\"1000\" height=\"545\" srcset=\"\/wp-content\/uploads\/sites\/5\/2010\/06\/problems-scope-27001-article.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2010\/06\/problems-scope-27001-article-300x164.jpg 300w, \/wp-content\/uploads\/sites\/5\/2010\/06\/problems-scope-27001-article-768x419.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p>For instance, if you choose that only your IT department is within your scope, and this department is using the services of the purchasing department, the IT department should perform risk assessment of your purchasing department to identify if there are any risks for the information for which the IT department is responsible; moreover, those two departments should sign terms and conditions for the services provided.<\/p>\n<p>Why is such an overhead necessary? You have to put yourself in the certification body\u2019s shoes \u2013 it must certify that within your scope you are able to handle the information in a secure way, while it cannot check any of your departments outside the scope. The only way to handle such a situation is to treat such departments as if they were external companies. (Please note: certification auditors never like a narrow scope.)<\/p>\n<p>This is not where the trouble stops. Sometimes, a narrow scope is simply not possible, because there is no interface with the outside world. For instance, if employees from both within the scope and outside the scope are sitting in the same room, such a scope is hardly feasible; if both the employees within and outside the scope use the same local network (with no segregation) and have the access to various network services, such a scope is definitely not possible \u2013 there is no way you would be able to control the information flow only inside the scope.<\/p>\n<p>The point here is \u2013 narrowing your <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=isms-scope-document\" target=\"_blank\" rel=\"noopener\">ISMS scope<\/a> is sometimes impossible, and in most cases it will bring you unnecessary overhead. Therefore, what initially didn\u2019t seem like a good solution, might be the optimal one after all \u2013 try to extend your scope to the whole organization. The rule of the thumb is: if your organization has no more than a few hundred employees, and one or just a few locations, the best thing would be for the ISMS to cover the whole organization.<\/p>\n<p>On the other hand, if you really cannot cover the whole organization with your ISMS scope, try to set it in an organizational unit which is sufficiently independent; try to solve the relationships with other organizational units outside the scope by determining their service through internal documents (policies, procedures etc.) that would serve as \u201cagreements\u201d \u2013 in such a way you could document those organizational unit\u2019s obligations in a manner that is usable in daily operations.<\/p>\n<p>There you go \u2013 you have solved the first step in your ISO 27001 implementation.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To implement ISO 27001 easily and efficiently,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a><span class=\"notion-enable-hover\" data-token-index=\"2\">\u00a0<em>of Conformio, the leading ISO 27001 compliance software.<\/em><\/span><!-- notionvc: e0343bb3-802f-43e2-84bb-8bbc5a137f39 --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You probably knew that the first step in ISO 27001 implementation is defining the scope. What you probably didn\u2019t know is that this step, although simple at first glance, can sometimes cause you quite a lot of trouble. Namely, a lot of companies are trying to decrease their implementation costs by narrowing the scope, but &#8230;<\/p>\n","protected":false},"author":26,"featured_media":22496,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[256,381,405,754],"class_list":["post-4809","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-certification","tag-iso-27001","tag-isms","tag-scope"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4809"}],"version-history":[{"count":3,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4809\/revisions"}],"predecessor-version":[{"id":104276,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4809\/revisions\/104276"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/22496"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}