Securing Info

There are a number of variables that directly impact the scale and complexity of any ISO 27001 Information Security Management System (ISMS), perhaps the most significant of these is your chosen scope.

Defining your ISMS scope should be one of the very first things you do when embarking upon an ISO 27001 project to ensure all your information assets have been identified and the associated risks assessed. Your chosen scope can be across geographical locations, internal departments, business processes or even individuals, it doesn’t necessarily need to be your entire organisation.

However, it is important to remember that in order for your ISMS to be effective, you need to ensure that the parts of the organisation certified align with the areas that could impact upon your security and will deliver you the most value. For instance; are all the people with access to your critical information included within the certification scope?

Clearly any security savvy client will want reassurance that the way in which you handle, process, store and even dispose of their sensitive information is covered within the scope of your certification, they may even insist that security measures be defined in your contracts.

Also, don’t forget, your chosen statement of scope will appear on your certificate, so it is essential to get it right!