September 28, 2021

Last Updated on January 19, 2024

In the ISO 27001 framework, the most important element is scope. But because ISO 27001 isn’t as prescriptive as some other cybersecurity frameworks, like SOC 2 or CMMC, people often think that an organization can arbitrarily define the scope of their ISO 27001 information security management system (ISMS) to be whatever they want. This is one of the most common misconceptions we run into in our ISO 27001-as-a-Service practice.

But if you don’t define your scope, who or what does? What does this issue look like and how can you avoid it?

To unpack the top 10 most common mistakes/misconceptions he sees with organizations preparing for ISO 27001 certification, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special podcast on this topic in response to multiple client requests.

Letting information define scope

“You want to make sure you have the ladder against the right wall before you start climbing it,” John relates. “One of the mistakes people often make when thinking about scope I, ‘I know I’m allowed to scope ISO 27001, right? I’m allowed to define what it is that I’m protecting. So, we’re just going to protect our email system and our SharePoint system…’”

But many companies are pursuing ISO 27001 certification because their clients want them to. And those clients want their data protected in all the places it resides—not just a couple of the big ones.

“Are you really giving those clients the assurance that they’re seeking?” asks John. “If a client sees ‘email and SharePoint’ and they know some of their data is on your consultant’s laptop, you’re going to have an unhappy client. They’re not going to accept your scope.”

That’s why I always like to say that you should really let information define your scope,” John clarifies. “If a system stores, processes or transits information that you’re trying to protect, then you should include that within your ISO 27001 scope. Because you want to protect information through its full lifecycle.”

If your organization is pursuing ISO 27001 certification, you’ll love all the time- and money-saving tips and insights in this very practical podcast with ISO 27001 guru John Verry.

If your organization is pursuing ISO 27001 certification, you’ll find huge strategic and practical value by listening to the full podcast: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security

Looking for some more information to help define your ISO 27001 scope? Check out this blog post: ISO 27001 Certification Shouldn’t Start with a Gap Assessment – Pivot Point Security