Meghan Trainor was on to something… those are the lyrics to that song, right?
Last week one of my clients got a little frantic about the scope of his company’s ISO 27001 engagement. They’re a SaaS vendor and he was stuck on the idea that “We need to protect our clients’ environments!”
No, you don’t. You only need to protect your customers data that you store, process, or transmit. You don’t need to worry about their computers, or their staff, or belongings left in cars outside their facility.
To scope an ISO 27001 engagement, keep asking the following question: What data are you trying to protect?
“All you’re doing is protecting data.”
Don’t make it about anything more than that. You don’t need to overcomplicate your ISO 27001 scope.
All you’re doing is protecting data. Understand what data you need to protect and include that in your scope. Then let the ISO 27001 standard do what it does best—guide you in mitigating the risks involved in protecting that data.
Yes, you need physical controls to keep your work environment safe, and so forth. But that’s not really part of your ISO 27001 ISMS scope. It really is all about the data.
“Simplify” is a core value at Pivot Point Security, with good reason. When it comes to ISO 27001 scope or other information security initiatives, simple is crucial. This is even more important when seeking an initial ISO 27001 certification or SOC 2 attestation. If you find you need to expand your ISO 27001 ISMS scope, you can do that down the road.
If your organization would benefit from guidance on scoping an ISO 27001, SOC 2 or similar engagement, contact Pivot Point Security. Our unique “as-a-Service” model is perfect for establishing a clear scope, developing a roadmap and staying on target so you reach your goals efficiently.