How do you Identify and Then Manage Your ISMS Scope?
PUBLISHED on
27
July
2022
When you are looking at the processes associated with managing the security of your organisation’s information assets, there are a number of occasions where you will need to consider the scope of what you are doing. But firstly, we need to answer a basic question.
What is scope?
Scope is simply a description of what is included within the processes you are conducting and what is excluded i.e., what is included within your approach to information security? Within this description, it is important to consider all the different characteristics of your organisation. For example, it is likely you need to consider most, if not all, of the following when considering your scope:
- Processes
- Technology
- Departments
- Physical locations
- People
- Services
- Third parties
You should think of each of the above in terms of their boundaries. So, your scope description should include an understanding of what is included within the boundary, along with a stated justification for its inclusion and, specifically, what is excluded or held outside the boundary if appropriate.
For example, if you state under physical locations, ‘all physical locations are included’, then there would be no need to state the exclusions as there aren’t any.
It is particularly important to state a justification for something being excluded from scope so that anyone reading the report understands the reason for the exclusion.
So, where does scope need to be considered? The first is a big picture view. You need to consider the scope of your information security efforts.
Is it everything that the whole business would benefit from, or does it need to be broken down into smaller component parts?
For example, you might want to ensure that information security is well managed in the departments where personal and customer information are handled and maybe exclude areas where there is no sensitive information. Or you might want to only concentrate on those business processes that generate significant revenue.
Other areas to consider in terms of scope include your risk management programme and your internal audit programme. These too have a big picture and a more focused element.
The big picture scope needs to take into consideration all the areas of the business that need to be risk assessed and audited over the duration of your programme, which may cover a three to five-year period. Whereas, the more focused scope considerations come into play when you are planning individual risk assessments or audits.
Do bear in mind that a sensible, achievable scope should be a starting point. You may look to extend your big picture scope over time.
So, if ISO 27001 certification is your goal, start with a sensible, meaningful and achievable scope, then look to expand the scope as your approach matures.
How URM can help?
Consultancy
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Read more
Consultancy
Do you need any help with ISO 27001 certificate?
URM can help you achieve ISO 27001 certification
Read more
Consultancy
ISO 27002:2022 Support
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Read more
URM is renowned for helping organisations to achieve the optimum balance when implementing an ISMS.
Find out more
related BLog posts
Information Security
Published on
21/7/2022
ISO 27002:2022 UpdateThe purpose of ISO 27002 is to provide organisations with guidance on selecting, implementing and managing information security controls.
Read more
Information Security
Published on
18/7/2022
What are the ‘Real World’ Benefits of Implementing ISO 27001?In this blog, we want to dig a bit deeper into the benefits that are gained from implementing the Standard and from achieving certification...
Read more
Information Security
Published on
20/7/2022
How do You Develop and Implement an Incident Management Plan?Due to the increased use of technologies and the ‘human’ involvement, it is inevitable we are all going to face more and more information security incidents.
Read more
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.