Problems with Defining the Scope in ISO 27001

Wednesday, July 07, 2010

Dejan Kosutic


You probably knew that the first step in ISO 27001 implementation is defining the scope. What you probably didn't know is that this step, although simple at first glance, can sometimes cause you quite a lot of trouble.

Namely, a lot of companies are trying to decrease their implementation costs by narrowing the scope, but they often find themselves in a situation where such a scope gives them a headache.

So, where is the problem?

The problem when the ISO 27001 scope is not the whole organization is that the Information Security Management System (ISMS) must have interfaces to the "outside" world - in that context, the outside world are not only the clients, partners, suppliers etc., but also the organization's departments that are not within the scope.

It may seem funny, but a department which is not within the scope should be treated in the same way as an external supplier.

For instance, if you choose that only your IT department is within your scope, and this department is using the services of the purchasing department, the IT department should perform risk assessment of your purchasing department to identify if there are any risks for the information for which the IT department is responsible; moreover, those two departments should sign terms and conditions for the services provided.

Why is such an overhead necessary? You have to put yourself in the certification body's shoes - it must certify that within your scope you are able to handle the information in a secure way, while it cannot check any of your departments outside the scope.

The only way to handle such a situation is to treat such departments as if they were external companies. (Please note: certification auditors never like a narrow scope.)

This is not where the trouble stops. Sometimes, a narrow scope is simply not possible, because there is no interface with the outside world. For instance, if employees from both within the scope and outside the scope are sitting in the same room, such a scope is hardly feasible; if both the employees within and outside the scope use the same local network (with no segregation) and have the access to various network services, such a scope is definitely not possible - there is no way you would be able to control the information flow only inside the scope.

The point here is - narrowing your ISMS scope is sometimes impossible, and in most cases it will bring you unnecessary overhead. Therefore, what initially didn't seem like a good solution, might be the optimal one after all - try to extend your scope to the whole organization. The rule of the thumb is: if your organization has no more than a few hundred employees, and one or just a few locations, the best thing would be for the ISMS to cover the whole organization.

On the other hand, if you really cannot cover the whole organization with your ISMS scope, try to set it in an organizational unit which is sufficiently independent; try to solve the relationships with other organizational units outside the scope by determining their service through internal documents (policies, procedures etc.) that would serve as "agreements" - in such a way you could document those organizational unit's obligations in a manner that is useable in daily operations.

There you go - you have solved the first step in your ISO 27001 implementation.

Cross posted from

Possibly Related Articles:
Enterprise Security
Security Management ISO 27001
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.