Problems with Defining the Scope of your ISMS

March 18, 2021 / by Frederid Palacios

Data security should be a top priority for all companies, especially today, where vast amounts of data are being created and continuously transferred. For this reason, many organizations are looking to earn their ISO 27001 certification, an information security certification proving the security competence of a company. The first step in implementing your ISO 27001 certification is defining the scope of your information security management system (ISMS). The primary purpose of this is to define which information you intend to protect. This means that wherever your information lies, in company offices, the cloud, local or remote access, you are responsible for protecting it no matter where, how, and by whom it is accessed. Defining your ISMS scope is instrumental and necessary to earning your ISO 27001 certification. While this may seem simple, it can be a challenging process, especially for larger organizations.

startup business people group working everyday job  at modern office-1First and foremost, your organization needs to understand your most relevant issues and their relation to the people and organizations with the most interest in them. This should include legal and regulatory requirements that your organization is subject to. When defining your scope, the absolute minimum departments to be included are the ones with access to and influence of customer data and its security. But, excluding other departments can be troublesome.


Narrowing the Scope

Many companies are attempting to lower implementation costs by narrowing this scope which only complicates the process further. The biggest issue with narrowing your ISMS scope is that your ISMS must have interfaces to the "outside" world. Typically, this includes clients, partners, and suppliers, but with a narrowed scope, it now also includes the departments in your organization no longer included in the scope. For this reason, you now have to view these departments the same way you would other external parties. This will require you to perform risk assessments of external departments to identify any risks that the internal departments are responsible for. You will also likely need the departments to sign terms and conditions for the services provided within your scope. Can you see how it starts to get complicated?

You might ask, why is this overheard necessary for departments within the organization? It is to determine that you can securely handle the information within your scope, while it cannot check any departments outside of the scope. This is why such departments must be treated as if they were external organizations. Furthermore, sometimes a narrow scope is simply impossible if an interface with the outside world is not feasible. While yes, rolling out your ISMS in a singular department or location may be less daunting. Still, the ease with which data networks can cross-organizational and geographic boundaries make it unrealistic. These data transfers would quickly occur in an organization where employees from both within the scope and outside of it are commonly in the same room.

Additionally, most departments within an organization use the same local network with access to the same network services, so there is no way to limit information to flow only inside the scope – thus invalidating the narrow scope. While it is possible to restrict these departments from sharing data, it can divide your organization and the flow of communication. Additionally, it may leave your departments with conflicting security standards, complicating security procedures in the future.

Another problem with limiting your scope to one department: the ISO 27001 certification will only apply to that department. While still an impressive feat, it's better for the entire organization to receive the certification as a whole to demonstrate a company-wide standard of security - especially when potential customers are deciding between your company and one with and company-wide certification.

Ultimately, for large organizations with several locations and hundreds of employees, narrowing the scope of your ISMS is often impossible, and in most cases, will bring on cumbersome overhead. While it may have seemed like a good cost-saver, it likely is not optimal to help you achieve your ISO 27001 certification. For companies unable to cover their entire organization within the scope, try to set an organizational unit that is reasonably independent. For most companies, the safest and easiest option is to extend your scope to the whole organization, alleviating the hassle of trying to separate and audit various departments. 

Cyber Security as a Competitive Advantage

Widening the Scope

Defining the scope of your ISMS is a vital process, but it is a time-consuming one as well. As we have discussed, it can be extremely challenging for organizations to narrow the scope of their ISMS. While it can be less costly and quicker to define a narrow scope, it is nearly impossible to limit data between an organization's departments.

As a result, most companies will widen their scope to the entire organization. While this is the more optimal of the two options for most companies, it is important to acknowledge that while it simplifies some aspects of the process, it can complicate others. The process of achieving your ISO 27001 certification requires a lot of work, employee hours, infrastructure and software upgrades, and the expenses associated with all of which. With a scope including your entire organization, the process can be especially lengthy. You will have to carry out internal audits for your whole organization, identifying internal and external issues within every department. As we said, it will be a lengthy and potentially expensive process.

Within each department, you will need to identify external factors such as market and customer trends, perceptions and values of external interested parties, laws, regulations, political and economic changes, and technological trends and innovations. All of these factors could impact your security measures, making them obsolete or requiring further standardization. Additionally, you need to consider interested parties such as stakeholders who may influence your information security. Following this, you must determine responsible parties within each department and define the scope of their responsibilities. All of this will be laid out in your security policy, which clearly and concisely lays out what you want to achieve through your security implementation.

Overall, you will face challenges no matter how you choose to define the scope of your ISMS. Consulting an expert, you will receive help in determining the proper scope for your organization's size. While narrowing your scope may bring some benefits, it will likely bring greater challenges such as excluded departments, accidental data sharing, and lack of a company-wide certification. Alternatively, a broader scope is a more expensive and lengthy process. Still, it will allow you to earn a company-wide certification, which creates a more substantial security standard throughout the organization and promotes communication between departments. Regardless of the scope of your ISMS, you will have to put in the work to define your organization’s intentions for security and the methods you will use to achieve it.

It is a challenging process but completing it will bring you one step closer to earning your ISO 27001 certification, a widely recognized and reputable standard of security. With this certification, customers and companies alike will recognize your organization as a company with expertise in protecting valuable and private data. This will set you up with a strong competitive advantage and strengthen your company against data breaches and cybersecurity attacks, ensuring that your data is in safe hands.  

contact us

Tags: Cyber Security

Frederid Palacios

Written by Frederid Palacios

Fred Palacios is a seasoned software architect with more than 20 years of experience participating in the entire software development cycle across a host of different industries--from automotive and services to petroleum, financial, and supply chain. In that time, his experience working closely with high-level stakeholders has provided him with a strategic vision for developing the right solutions to flexibly meet critical business needs. As CTO of Intertec, he's continuing to focus on the creation of business-critical applications for large enterprise projects, particularly those that handle high concurrency and large datasets. He is passionate about using technology as a tool to solve real-world problems and also mentoring technical teams to achieve their maximum potential and deliver quality software.

Leave A Comment