Working your way towards your ISO 27001 certification is definitely not an easy task for any size of organization, but it seems to get more and more complex, the larger you are. As with any security protocol it has to be done deliberately and thoroughly to get the holistic protection and certification that you’re looking for. This means no shortcuts, workarounds, or cutting any corners. That said, it’s also a big responsibility and allocation of your companies resources, time, and most importantly; money. Not only that, once ISO27001 is implemented and you are certified, it will add extra steps and processes to your existing workflows to ensure that your organization functions at the highest level of security.
Starting the process of getting certified is theoretically no different than any project management or development process - you determine the scope of the project, lay out the steps, define workflows, assign responsibilities, manage timelines, and keep the key stakeholders in the loop regarding progress and deadlines. Except, there’s a small catch - How do you determine the scope of your ISMS and subsequent ISO certification? What should it include? Depending on the size of your company, you might have to decide if this is something you can do company-wide, or just within a part of your organization to start, and roll it out across the rest of your organization over a determined period of time. Whatever you decide, you have to ensure that you do it right the first time.
What Exactly is the Purpose of The ISMS Scope?
There’s no sense in undertaking a potential review and overhaul of your organization’s security protocols, if you don’t really understand what specific information you intend to protect. This is why it’s crucial that the first few planning steps towards getting certified is defining the scope of your ISMS (Information Security Management System), to clearly outline the footprint of what you’re looking to fortify. It’s here, however, that many organizations start to falter.
Odds are that the information that you intend to protect, resides in a multitude of places. It’s stored within servers in your physical office, or it’s offsite, or in the cloud. It’s accessed from your local network, remote-access employee laptops, and mobile devices. Or, you’ve got an outsourced nearshore partner managing your IT or cybersecurity services. Essentially, the information under your purview is dispersed across various locations, and can be potentially accessed by a large number of people. You’ll be responsible for protecting this information, no matter where, how, and by whom the information is accessed.
So if your employees are taking their laptops home, or have been working remotely for nearly the past year, doesn’t mean that those devices are outside your scope. Far from it. If they can access your local network and all the sensitive information therein, they should be a part of your scope.
The Wider The Scope, The Longer The Process
There is absolutely every reason to include your entire organization within the scope of your ISMS. Every department has vital information worth protecting, and having your entire organization certified as something that can safeguard a client’s data, can only benefit your profitability long term. But the process to getting certified, as we’ve mentioned before, may require a lot of work, employee-hours, infrastructure and software upgrades, and ultimately, a cost for all of the above. Depending on the relative size of your organization, you may decide to only certify a certain department, for the sake of expediency and efficiency.
At first blush, this may make sense. If you’re going for your ISO certification, the auditor will only check the elements of the ISMS that work within your scope. Any departments or systems outside of it, won’t be assessed. You’ll get certified faster, and be able to hang your ISO 27001 certified shingle outside your building, but it will have an asterisk - it’s applicable to one department only. This could hamper you if you’re up against a competitor who can claim that their entire organization is certified.
Outside of that, it may also effectively cut off one department from the others. Let’s use your software development department as an example. You want that locked down first to avoid any malware, phishing, or hacks that could benefit your competitors. Therefore, you’d apply the controls in the ISO 27001 Annex A to this department, have your risk management plan, and ensure that the data you safeguard is assured of its confidentiality, integrity, and availability. But, if another department isn’t up to the same security standards as the original and hasn’t gone through any of the ISO 27001 touchpoints, then you’ll need to harden your endpoints between your department and the next, via application shielding, firewalls, etc... not to mention restricting physical access as well.
Though it might take longer, it’s worth it in the long run to make this an organization-wide project.
The Scope Requirements for ISO 27001 Certification
There are four major requirements from ISO 27001 when defining the scope:
- Identify internal issues, external issues, within the context of your organization.
- Identify interested parties.
- Identify dependencies and Interfaces.
1) Identifying internal and external issues. As defined in clause 4.1. factors that are under the direct control of the organization (internal issues) include:
- Organizational structure - This includes roles, accountabilities and hierarchy.
- Organizational drivers - This includes values, mission statement, vision, internal culture, policies, objectives, etc… These are greatly affected by the attitudes of the employees within the organization.
- The way the organization does things - How processes work, how information flows, and how decisions are made.
- Available resources - Knowing what equipment, technologies, systems, capital, time, personnel, and knowledge you already have in your organization to guide your acquisitions, solutions and keep your information safe.
- Contractual relationships - Understanding the relationships between suppliers and customers to help the ISMS best manage their requirements.
External Issues are factors that the organization has no control over, but can anticipate and adapt to. These include:
- Market and customer trends - for example, this could include the increased adoption of cloud services or mobile devices.
- Perceptions and values of external interested parties - relationships with external parties are about more than just contracts and suppliers. There are colleagues, cultures, and beliefs that need to be taken into account.
- Applicable laws and regulations - these vary by geography, but a great example is the EU GDPR, which came into effect in 2018.
- Political and economic changes - Elections, public policy changes, and local currency exchange rates - all need to be monitored.
- Technological trends and innovations - Breakthrough technology could render existing security controls obsolete, or offer new technologies in information protection.
Knowing these internal and external factors can help you to comply with other clauses within the ISO Certification framework.
2) Take into account any interested parties, which is outlined in Clause 4.2. This includes your stakeholders - persons or organizations that can influence your information security/business continuity, or can be affected by those same two factors. This includes:
- Employees
- Shareholders/owners of the business
- Government agencies/regulators
- Emergency services
- Clients
- Employee families
- Media
- Suppliers and partners
Basically, you need to identify what they want from you, and account for it in detail.
3) Consider the interfaces and dependencies between what is happening within your ISMS scope and the outside world.
- Dependencies -these are the processes that are provided from outside your scope. If the scope of your ISMS is only around your core processes, then these are critical business processes that exist outside of said scope, such as legal services, cleaning services, accounting, human resources, etc… Once you’ve defined your dependencies, you can identify the interfaces.
- Interfaces -this helps your company understand its ISMS boundaries, and to understand which inputs and outputs will be going through said interfaces. Here you’d identify all of your endpoints that you control (local network, entrance doors of the office, etc…) It may help to classify your interfaces by their high-level characteristics according to 3 categories:
- People - who needs access to your information from outside your ISMS
- Processes - support or software development, for example.
- Technology - email, VPN, FTP, live chat, etc...
4) Finally, as basic as it sounds, it’s also helpful to offer a short description of your location via a floor plan, as well as an organizational chart. These aren’t strictly required by the standard, but auditors like to see them regardless.
All of this should be organized in the one document that is your ISMS scope.
The Benefits of Defining Your ISMS Scope
Going through the activities of defining your ISMS scope might sound complicated at first, but as you go through the steps of the process, you’ll start to appreciate how well you’ll understand your organization, the environment you operate in, and comprehend the security requirements you’ll need in order to protect your sensitive information. It also helps to start here, so you know what steps you’ll need to undertake next to get your certification, and start selling your secure services to potential clients.