ISO/IEC 27001 in Practice

Establishing Scope

Scope are all the activities or services, people, processes, places and data that will be subjected to the risk controls and processes to implement for ISO.

Boundaries to establish scope:

  • External and internal factors
  • Interested parties
  • Relationship between activities performed by your organization and other organizations

Boundaries to consider:

  • Business activities
  • Location specific
  • Channel specific (on-line or off-line)
  • Specific product/services
  • Considerations from customer perspective

The first thing to do is lay down all the operations of a given system, and determine what parts of the entire operation we want to select for ISO 27001.

For example, a web application may have a core application with a database which does all the core work. It may also have an onboarding process for new client and a CRM with a support team, as well as a billing system. Here we select which operation to put in the scope. Depending on the goal of the company, one could choose to limit the scope to operations which handle customer information and PII.

Risk Assessment

Repeatable Methodology for a risk assessment:

  • Criteria for accepting risk (appetite)
  • Identifying risks (CIA: Confidentiality, Integrity and Availability)
  • Analyzing risks
  • Evaluating risks

Determining Applicability

One shall justify for the inclusion or exclusion of controls and whether to implement them or not.

After establishing the scope, one should go and check every control presented by ISO 27001 and check if the control is applicable or not. For each, the reason for the inclusion or exclusion must be clearly written.

Required Documents

Mandatory Documents:

  • Procedures
  • Policies

Mandatory Records:

  • Internal Audit records
  • Correct Action records


  • Stage 1 Audit: 1 day
  • Stage 2 Audit: 2 days
  • Entire process end-to-end: 12-18 months (assuming no ISO experience)