ISO 27001 Scope

At the heart of the ISO 27001 Standard is the development of an Information Security Management System (ISMS) within the organization.

The organization should define the scope of its ISMS in relation to its business needs, the structure of the organization, its location, its information assets and its technologies. The ISMS can be as small or as large as the organization wants to design it, it can cover a small part or an organization, or the entire organization, as long as however the scope is defined, all of the requirements of the ISO 27001 Standard are applied and operational within the ISMS.

The design and implementation of the organization’s ISMS will be also influenced by its business and security objectives, its security risks and control requirements, the processes employed and the size and structure of the organization: a simple situation requires a simple ISMS.

Additional considerations when thinking through the scope and design of the ISMS include:

  • The design and adoption of an ISMS should be a strategic decision involving top management down within the organization. It is not exclusively an IT decision.
  • The ISMS will evolve systematically in response to changing risks.
  • Areas outside the ISMS by definition are inherently less trustworthy, hence additional security controls may be needed for any business processes passing information across the boundary.
  • Compliance with ISO27001 can be formally assessed and Certified by a qualified Certification Body such as Coalfire ISO.
  • A formally Certified ISMS builds confidence in the organization’s approach to information security management among stakeholders, both internal and external.

Back to FAQs