Dear Friends welcome back. Thanks for all the positive responses and likes that motivates me to write better than my previous article. Today we will try to understand how to decide and write the scope of any audit or implementation of ISMS.

Scope describe the extent and boundaries of the audit or implementation in terms of factors such as physical locations, organizational units, activities and process to be audited, where relevant, the time-period covered by the audit. (According to ISO 27001:2005)

According to my understanding we can define the following format to write the scope of any audit or implementation:-

· Objective :- We will 1st define our objective (try to make it short and simple not more than two lines)

· Boundary or Requirement: – Over here we will set out boundaries (for example if the company where we have to implement ISMS have 12 deptts. but we only want to include 8 of them, then we will mention those 5 deptt. names here).

· Extent :- the last thing will be the extent to which we will go to achieve the above mentioned objective.

Now before going into any technicality let’s try to understand the scope with day to day activities. For example if I have to decide the scope of going to office, then it’s involves:-

1. Objective:-

a) Reaching office

2. Boundary:-

a) Reaching Office before 9:30am (Race against the time)


b) Stay Alive (tug of war @Mumbai Local) so to survive I always prefer slow local starting from my source station


3. Extent

a) If I will be late then I can catch a fast local.

b) I can go by bus if due to some reason local is not available.

Many will feel that we can book a cab and reached office on time, but as I mentioned above that we are talking about my scope of reaching office on time, so my pocket doesn’t allow me to go to office by cab and hence I will prefer to be late as compare to booking a cab and then reaching office on time.

So, the boundary for me reaching office is the timeline (i.e., 9:30am) and the extent is that I have to reach office is the mode of transportation.

Now we will try to decide the scope of implementation of ISMS within an organization which deals in software development and who have offices across the country:-

1. Objective :- The objective will be implementation of ISMS within the organization

2. Boundary / Requirement: – We will define the boundary of our implementation. For example if we have 5 dept. within our organization i.e.,

a. IT Support

b. Development Team

c. Database Team

d. Network Team

e. Admin

Out of above mentioned 5 teams I don’t want my admin team to comply with ISMS so I can keep Admin team out of the boundary of my scope. So, our boundary within the organization will be IT Support, Development Team, Database Team and Network Team.


3. Extent: – We can define the extent as all the offices in country or if management wants to go with a particular region (for example Northern Region), then the extent of our implementation will be all the offices in northern region.

We shall always keep few things in mind while defining the scope:-

· It shall be short and precise

· Boundaries shall be well defined

· Extent shall be clearly defined

· There shall be a proper approval of defined scope from the senior management