Tips to describe a proper scope

Just started or about to start the certification process? The following information will have to be defined: the scope of the certification with respect to the type of activities, products and services as applicable at each site, without being misleading or ambiguous.

Keep in mind that anything outside the scope is not included in the certification. That is, it will be not researched or tested.

What is a scope?

Scope meaning: a scope indicates the nature, size and frameworks of the certification. It’s a textual description of the activities/processes of the organization being audited.

A scope description shows the outside world exactly which part of the organization has been audited and certified. A well-defined scope provides clarity, direction and focus. When describing the scope, it is best to keep the following in mind:

Formulate the scope in such a way that a third party immediately sees and understands what the certificate has been issued for. The scope must specify which activities, processes and/or services comply with the relevant standard.

The management system to be certified is built on the basis of a predefined scope. The scope of certification is determined during the certification application. Based on the scope description, a certification body can determine whether there is a match to certify the customer.

Supporting processes

It is not usual to explicitly mention supporting processes within an organization in the scope description, if they do not have a prominent role within the scope of certification. Think of Marketing, HR and Purchasing. This does not mean that they are by definition not part of the certification. It may be that part of, for example, HR or purchasing are part of the scope.

You could say that everything that directly affects the primary process, including the service/product to the customer, should be mentioned in the scope description (insofar as this is part of the scope).

Tips

• Ensure that the scope is properly defined based on what is controlled within the management system;
• Use the indefinite way/ limit the use of pronouns;
• Avoid using abbreviations;
• Don’t use ambiguous or misleading sentences;
• Do not use value/ subjective judgments (sales texts);
• Use verbs.

For example:
‘’Selling or repairing cars’’

Instead of:
‘’Car dealer’’

With several activities, it is good to use a structure so that all activities are considered as one scope, to prevent the scope from being interpreted misleadingly or ambiguously. In such a case, a scope can be built up by means of bullets, for example, such as:
“Information security related to:
– developing, implementing and managing software……
– the provision of services that ……..”

Scope description ISMS

Examples of a proper scope description for an ISMS certification:

– Information security related to the development, implementation and management of software for the purpose of saving, storing and processing all (medical) data to support occupational health and safety services, including managing databases and servers in an (external) computer center within the EU.
– Information security related to advising, designing, developing, integrating, maintaining and operating mobile and web applications for, among other things, the processing of personal health information and the provision of associated external hosting services.

With NEN 7510 certifications, the scope of certification must make clear which activities, products or services related to the management of personal health information have been outsourced, specifying the applicable controls from the ‘statement of applicability’ of the auditee . An example scope is:

“Information security related to setting up, decorating and managing, related to IT environments for office automation where personal health information (depending on customer) can be processed, of which the application & storage of personal health information is partly outsourced.”