Phase 3—Select the Proper Scope of Implementation
ISO 27001 states that any scope of implementation may cover
all or part of an organization. According to section B. 2. 3,
Scope of the ISMS, only the processes, business units, and
external vendors or contractors falling within the scope of
implementation must be specified for certification to occur.
The standard also requires companies to list any scope
exclusions and the reasons why they were excluded.
Identifying the scope of implementation can save the
organization time and money. The following points should
• The selected scope helps to achieve the identified
• The organization’s overall scale of operations is an integral
parameter needed to determine the compliance process’s
• To find out the appropriate scale of operations,
organizations need to consider the number of employees,
business processes, work locations, and products or
• What areas, locations, assets and technologies of the
organization will be controlled by the ISMS?
• Will suppliers be required to abide by the ISMS?
• Are there dependencies on other organizations? Should they
• Any regulatory or legislative standards that apply to
the areas covered by the ISMS should be identified.
Such standards may come from the industry in which
the organization works; from state, local or federal
governments; or from international regulatory bodies.
The scope should be kept manageable, and it may be
advisable to include only parts of the organization, such as a
logical or physical grouping within the organization.
Phase 4—Define a Method of Risk Assessment
To meet the requirements of ISO/IEC 27001, companies need
to define and document a method of risk assessment. The
ISO/IEC 27001 standard does not specify the risk assessment
method to be used. The following points should
• The method to be used to assess the risk to identified
• Which risks are intolerable and, therefore, need to
• Managing the residual risks through carefully considered
policies, procedures and controls
Choosing a risk assessment method is one of the most
important parts of establishing the ISMS. Use of the following
will be helpful:
• NIST Special Publication (SP) 800-30 Risk Management
Guide for Information Technology Systems
• Sarbanes-Oxley IT risk assessment
• Asset classification and data classification documents
(determined by the organization)
ISO 27001 needs risk evaluations based on levels of
confidentiality, integrity and availability (CIA):
• Confidentiality—Clause 3.3: Ensuring that information is
accessible only to those authorized to have access
• Integrity—Clause 3.8: Safeguarding the accuracy and
completeness of information and processing methods
• Availability—Clause 3.9: Ensuring that authorized users
have access to information and associated assets