+31 (0)73 - 220 2000 | info@brandcompliance.com
English
  • Dutch
  • English
  • Beglië
  • Dutch
  • English
  • Beglië
Brand Compliance
  • Certify
    • ISO 9001
    • ISO 22301 (BCM)
    • ISO 19770-1 (IT-assets)
    • ISO 27001
    • ISO 27017 and ISO 27018
    • BIO
    • ISO 27701 (Privacy)
    • NEN 7510
  • IT Assurance
    • SOC 2
  • Vacancies
  • Knowledge base
  • BC Academy
Contact
  • Information security
    • ISO 19770-1
    • ISO 27001
    • ISO 27017 and ISO 27018
    • ISO 27799
    • BIO
    • NEN 7510
    • SOC 2
    • ISAE 3402
  • Privacy
    • Whitepaper BC 5701
    • AVG standard BC 5701:2023 NL
    • GDPR standard BC 5701:2023 EN
    • GDPR standard BC 5701:2024 EN
    • BC 5701
    • ISO 27701
  • Quality
    • ISO 9001
    • ISO 14001
    • ISO 22301
  • Knowledge base
  • News
  • Academy
    • NIS2 training course
    • ISO 27001 training courses
    • BC 5701 training courses
  • About us
    • Start your certification journey
    • Accreditations
    • Compliment, complaint or tip
    • Privacy Statement
    • Vacancies
    • Contact

Certification process

10
  • Checklist certification
  • Do you have your first audit soon?
  • How long does ISO certification take?
  • What is a certification cycle?
  • Applying for a certification process
  • Initial audit Stage 1
  • Initial audit Stage 2
  • Nonconformities management system
  • Certificate suspended or revoked? This is how you solve it!
  • Transfer of certification

BC 5701

5
  • BC 5701 certification: where do you start?
  • Your record of processing activities and the GDPR
  • Your Data Protection Officer and the GDPR
  • Checklist for your BC 5701 certification
  • Data breach: What is it and how do you prevent it?

General

9
  • SOC 2 or ISAE 3402: which standard suits your organization?
  • The Traffic Light Protocol (TLP): what does it mean for you?
  • The Brand Compliance glossary
  • What is a management system?
  • Internal or external audit?
  • Find out more about internal audits
  • Tips to describe a proper scope
  • Accreditation versus certification
  • The use of certification logos

ISO 27001:2022

3
  • Operational Capabilities: The Backbone of Information Security
  • ISO 27001:2022 – FAQ transition
  • ISO 27001:2022 – Transition process

Whitepapers

2
  • Whitepaper management system audits
  • Whitepaper GDPR Certification Standard and Criteria BC 5701

Best practices

3
  • Mastering GDPR compliance: best practices
  • Excelling in information security: best practices
  • Quality Management: best practices for success

NEN 7510

4
  • Transition to NEN 7510-1:2024
  • NEN 7510 without healthcare institution?
  • How to expand with NEN 7510
  • The differences between ISO 27001 and NEN 7510

NIS2 Directive

2
  • NIS2 liability
  • NIS2 & the Belgian CyberFundamentals
View Categories

Tips to describe a proper scope

2 min. leestijd

Just started or about to start the certification process? The following information will have to be defined: the scope of the certification with respect to the type of activities, products and services as applicable at each site, without being misleading or ambiguous.

Keep in mind that anything outside the scope is not included in the certification. That is, it will be not researched or tested.

ScopeWhat is a scope?

Scope meaning: a scope indicates the nature, size and frameworks of the certification. It’s a textual description of the activities/processes of the organization being audited.

A scope description shows the outside world exactly which part of the organization has been audited and certified. A well-defined scope provides clarity, direction and focus. When describing the scope, it is best to keep the following in mind:

Formulate the scope in such a way that a third party immediately sees and understands what the certificate has been issued for. The scope must specify which activities, processes and/or services comply with the relevant standard.

The management system to be certified is built on the basis of a predefined scope. The scope of certification is determined during the certification application. Based on the scope description, a certification body can determine whether there is a match to certify the customer.

Supporting processes

It is not usual to explicitly mention supporting processes within an organization in the scope description, if they do not have a prominent role within the scope of certification. Think of Marketing, HR and Purchasing. This does not mean that they are by definition not part of the certification. It may be that part of, for example, HR or purchasing are part of the scope.

You could say that everything that directly affects the primary process, including the service/product to the customer, should be mentioned in the scope description (insofar as this is part of the scope).

Tips

  • Ensure that the scope is properly defined based on what is controlled within the management system;
  • Use the indefinite way/ limit the use of pronouns;
  • Avoid using abbreviations;
  • Don’t use ambiguous or misleading sentences;
  • Do not use value/ subjective judgments (sales texts);
  • Use verbs.

For example:
‘’Selling or repairing cars’’

Instead of:
‘’Car dealer’’

With several activities, it is good to use a structure so that all activities are considered as one scope, to prevent the scope from being interpreted misleadingly or ambiguously. In such a case, a scope can be built up by means of bullets, for example, such as:
“Information security related to:
– developing, implementing and managing software……
– the provision of services that ……..”

Scope description ISMS

Examples of a proper scope description for an ISMS certification:

– Information security related to the development, implementation and management of software for the purpose of saving, storing and processing all (medical) data to support occupational health and safety services, including managing databases and servers in an (external) computer center within the EU.
– Information security related to advising, designing, developing, integrating, maintaining and operating mobile and web applications for, among other things, the processing of personal health information and the provision of associated external hosting services.

With NEN 7510 certifications, the scope of certification must make clear which activities, products or services related to the management of personal health information have been outsourced, specifying the applicable controls from the ‘statement of applicability’ of the auditee . An example scope is:

“Information security related to setting up, decorating and managing, related to IT environments for office automation where personal health information (depending on customer) can be processed, of which the application & storage of personal health information is partly outsourced.”

Share This Article :
  • Facebook
  • X
  • LinkedIn
Updated on 17 May 2023
Find out more about internal auditsAccreditation versus certification

Accreditation

RvA C548Brand Compliance B.V. has accreditation (C548) to certify ISO 27001, ISO 27701 NEN 7510 and ISO 9001 scope 33 information technology and 35 other services.

Brand Compliance B.V.

Hambakenwetering 8D2
5231 DC ‘s-Hertogenbosch

+31 (0)73 220 2000
info@brandcompliance.com

Chamber of Commerce nr.: 32101659
VAT nr.: NL8130.78.854.B01

Brand Compliance Belgie B.V.

Uitbreidingstraat 66
2600 Berchem (Antwerpen)

+32 (0)14 48 0730
be-info@brandcompliance.com

VAT nr.: BE0735.675.516

Brand Compliance Nordics AB

Vasagatan 16 2 TR
111 20 Stockholm

+31 (0)73 220 2015
info@brandcompliance.com

Org.nr: 559238-1387

© Copyright 2025 Brand Compliance