Module 9: Maintaining the Kingdom

Scope Changes

15 min
+50 XP

Scope Changes

Your organization evolves—your ISO 27001 scope must keep pace. Here's how to manage scope changes smoothly.

What is Scope?

Scope defines the boundaries of your ISMS:

  • Which parts of the organization
  • Which locations or sites
  • Which products or services
  • Which processes and systems
  • Which information assets

Example: "The provision of cloud-based SaaS accounting software to small businesses, including development, operations, and customer support, conducted from our Seattle headquarters and remote workforce."

Why Scope Changes

Growth and Expansion

  • New products or services
  • New locations or offices
  • New countries or markets
  • New systems or platforms
  • Cloud migration

Business Changes

  • Mergers and acquisitions
  • Organizational restructuring
  • Outsourcing or insourcing
  • New business models

Scope Refinement

  • Excluding non-relevant activities
  • Clarifying boundaries
  • Expanding certification value
  • Meeting customer requirements

Types of Scope Changes

Major Changes (Require CB Notification)

  • Significant increase in scope (>25%)
  • New high-risk processes
  • New locations in different countries
  • Major technology changes
  • Changes affecting ISMS effectiveness

May Trigger: Special audit, extended surveillance, certificate revision

Minor Changes (Next Regular Audit)

  • Small organizational changes
  • New system within existing service
  • Minor location changes
  • Scope clarifications

Scope Reductions (Generally Easier)

  • Removing locations or services
  • Narrowing focus
  • Exclusions must be justified

The Scope Change Process

Phase 1: Identify (Immediate)

  • Document what's changing
  • Assess ISMS impact
  • Determine if scope affected

Phase 2: Assess Impact (1-2 Weeks)

Questions:

  1. Does this fall within current scope?
  2. What ISMS elements are affected?
  3. What's the timeline?
  4. What are the risks?

Phase 3: Plan (2-4 Weeks)

Create scope change plan:

  • Notify certification body
  • Update risk assessment
  • Review/update SoA
  • Update policies
  • Implement additional controls
  • Internal audit new scope
  • Management review approval

Phase 4: Notify CB (ASAP)

Communicate:

  • Description of change
  • Effective date
  • ISMS impact
  • Control changes
  • Audit implications

Phase 5: Update Documentation (2-4 Weeks)

Update These:

  1. Scope statement
  2. Context of organization
  3. Risk assessment
  4. Statement of Applicability
  5. Policies and procedures
  6. Information asset register

Phase 6: Implement Controls (4-8 Weeks)

  • Deploy required controls
  • Configure systems
  • Train personnel
  • Test effectiveness
  • Prioritize by risk

Phase 7: Verify (2-4 Weeks)

  • Internal audit of new scope
  • Management review
  • Correct gaps
  • Get formal approval

Phase 8: External Audit

Be Ready to Show:

  • Why scope changed
  • How risks assessed
  • What controls implemented
  • Evidence of operation
  • Effectiveness measures

Special Considerations

Cloud Migration

  • Physical datacenters → Cloud facilities
  • Third-party risk assessment
  • Shared responsibility model
  • Data location considerations

Remote Work Expansion

  • "Office" → "Office and remote workforce"
  • Endpoint security controls
  • VPN and remote access
  • BYOD policies

M&A Options

  1. Extend existing certification
  2. Maintain separate certifications
  3. Exclude from scope initially

Allow 6-12 months for ISMS integration.

Geographic Expansion

New countries may require:

  • Additional legal/regulatory compliance
  • Data residency controls
  • Local language docs
  • Local audit representation

Valid Exclusions

✓ Not relevant to business ✓ Not applicable ✓ Outsourced (but manage third-party risk)

✗ "Too hard" ✗ "Not ready yet" ✗ To avoid scrutiny

Common Mistakes

  1. Not notifying CB → Findings, possible suspension
  2. Scope creep without update → Confusion, audit surprises
  3. Implementing before controls ready → Security gaps
  4. Incomplete risk assessment → Missing controls
  5. Forgetting M&A implications → Certificate coverage gaps

Scope Change Checklist

  • Change identified and documented
  • Impact assessment completed
  • CB notified (if major)
  • Scope statement updated
  • Risk assessment extended
  • SoA reviewed
  • Policies updated
  • Controls implemented and tested
  • Assets registered
  • Personnel trained
  • Internal audit completed
  • Management approval obtained
  • Ready for external audit
  • Certificate revision requested

Strategic Scope Decisions

Narrow Scope:

  • Faster to certify
  • Lower cost
  • Easier to audit
  • But: Less market value

Broad Scope:

  • Greater differentiation
  • Meets more customer needs
  • Comprehensive security
  • But: More complex

Find Your Balance: Cover what matters to customers and business while remaining manageable.

Next Lesson: Preparing for recertification.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Documentation Updates

Next

Recertification