Defining ISO 27001 policy & scope: this is how you do it
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Download the white paper
If you have any questions regarding the white paper, please do not hesitate to contact us. We'd love to help you.
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Step 1: determine the scope — draw the circle
The scope defines the limits of your Information Security Management System (ISMS). Many organizations make the mistake of wanting to certify everything immediately, but for SMEs, it is often smarter to focus on the core processes. When determining the scope, you look at:
- Locations: Which physical offices or data centers are covered by the certification?
- Services and products: for which specific services do you want to obtain the certificate?
- Internal and external factors: what requirements do customers have, and what legislation (such as the AVG or NIS2) affects?
A sharp scope prevents unnecessary ISO 27001 costs and ensures that your team is not overloaded during implementation.
Step 2: drafting the information security policy
The information security policy is the overarching document in which the management defines its vision and ambitions in the field of security. It is not a technical manual, but a strategic document.
Key policy elements include:
- Goals: what do you want to achieve with information security?
- Roles and responsibilities: who is the Security Officer and who reports to management?
- Compliance: How do we verify that employees are complying with the rules?
Step 3: The link to the Statement of Applicability (SoA)
Once the scope and policy are in place, the statement of applicability follows. Here, you link the risks from your organization to the 93 control measures (controls) of the standard. Here, you decide very specifically which measures you will and will not take based on your chosen scope.
Why this is more important than ever now
With the imminent enforcement of the Cybersecurity Act in 2026, a clear scope and policy will become a legal necessity for many companies. It not only helps you obtain your ISO 27001 certificate, but also to demonstrate your duty of care as an organization.
Need help drawing the right circle?
Determining the scope is a strategic choice that has a major impact on the success and costs of your process. Do you want to make sure that your scope and policy meet the auditor's requirements? Then schedule an informal and free consultation. Together, we lay the foundation for a safer organization.
.png)
