Skip to main content
Book a Demo
ISO 27001

ISO 27001: The Scope Trap: Why “Let’s Certify Everything” Can be a Terrible Idea

When organisations first start ISO 27001, someone in the room inevitably says: “Shouldn’t we just put the whole business in scope?”

It sounds mature. It sounds ambitious. It sounds like the kind of thing that belongs in a board pack.

If your business is over a certain size, it can also be a fast track to pain.

ISO 27001 is built around an Information Security Management System, or ISMS. That system needs to be properly scoped, operated, reviewed and improved. In practice, your scope determines almost everything that follows: your risks, your controls, your policies, your evidence, your audits, and your ongoing compliance workload.

So…no pressure.

Bigger is Not Always Better

A broad ISO 27001 scope can make sense for some organisations. But for many, especially larger organisations pursuing certification for the first time, “everything” quickly becomes too much.

This is particularly true for large businesses, holding companies, groups with multiple brands, or organisations with very different business units. What looks like one organisation on paper may actually operate as several distinct businesses in practice, each with its own systems, suppliers, processes, risks and ways of working.

Suddenly the ISMS includes systems no one fully understands, legacy processes nobody has touched since 2017, teams that were not prepared for certification, and suppliers that may or may not have been reviewed properly.

Congratulations. Your certification project is now a group assignment with 14 teams, 72 spreadsheets and one person quietly regretting every decision that led to this moment.

The goal is not to make the scope as large as possible. The goal is to make the scope clear, defensible and manageable.

For a larger organisation, that may mean starting with a specific business, brand, function, product, service, location or business unit rather than trying to certify the whole enterprise on day one.

The Scope Needs to Reflect Reality

A good ISO 27001 scope should answer a few simple questions:

What are we protecting?
Where is it processed, stored or accessed?
Which teams, systems, locations and suppliers are involved?
What commitments are we making to customers, partners or regulators?

The danger comes when organisations scope based on aspiration rather than reality. They include processes that are not mature. They include teams that are not ready. They include systems where ownership is unclear. Then they wonder why implementation feels like dragging a filing cabinet through wet cement.

Your scope should not be an aspirational, fantasy version of your business. It should reflect how the business actually operates.

That is why a focused starting point can be so valuable. If one business unit has a clear customer requirement, a defined service, a known technology environment and accountable owners, it may be a much better candidate for initial certification than the entire organisation.

The Customer-Pressure Problem

Sometimes scope gets inflated because of customer pressure. A customer asks for ISO 27001. The organisation panics. Everyone assumes the safest answer is to include everything.

However, customers usually want assurance over the service, product, environment or information handling that matters to them. That does not always mean the entire organisation needs to be in scope on day one.

For example, if a customer relies on a particular SaaS platform, managed service, consulting team or operational function, the ISO 27001 scope may be able to focus on that part of the business. The scope still needs to be accurate, meaningful and defensible, but it does not automatically need to include every brand, subsidiary, office, internal platform and back-office function.

A focused scope can still be commercially strong if it is clear and honest. The problem is not a smaller scope. The problem is a vague one.

Why Auditors Care

Auditors do not expect perfection. However, they do expect consistency. If your scope says one thing, but your controls, evidence and actual operations tell a different story, that creates problems.

A strong scope gives the auditor a clear boundary. It explains what is included, what is excluded, and why. It also helps the organisation avoid wasting time gathering evidence for areas that were never relevant to the certification objective in the first place.

This matters even more in larger organisations. If one subsidiary, division or business unit is in scope, the boundaries need to be clear. Shared services, corporate IT, HR, finance, procurement and group-level governance may still play a role, but that does not necessarily mean every part of the group is certified.

In other words, good scoping saves everybody from unnecessary suffering. And frankly, we reckon that’s a win for everyone involved.

Scope Should Evolve

Your first ISO 27001 scope does not need to be your forever scope.

Many organisations start with a focused scope, achieve certification, then expand over time as their ISMS matures. That is usually far more sustainable than trying to boil the ocean during the first implementation.

For larger organisations, this staged approach can be especially useful. Start with the business, service or unit where certification matters most. Build the ISMS properly. Prove it works. Learn from the audit process. Then expand to other areas when the organisation is ready.

Compliance maturity is built in layers. Start with what matters most. Build the system properly. Prove it works. Then expand with confidence.

The Foundation

The ISO 27001 scope is not a small admin decision. It is the foundation of the whole system. Get it right, and implementation becomes clearer. Get it wrong, and everything becomes harder than it needs to be.

So before you proudly declare “everything is in scope,” pause. Ask whether the business can actually support that claim.

And if you are part of a larger organisation, ask whether “the business” really means the whole group, or whether a specific business, business unit, product, service or operating environment would be a smarter place to start.

Because in ISO 27001, the smartest scope is not always the biggest one. It is the one you can run, maintain and prove.

Need Help Getting Your Ducks in a Row?

de.iterate helps organisations build ISO 27001 programs that reflect how the business actually works, from scope and risks through to policies, evidence, audits and continuous assurance.

This way, your ISMS is not just certified. It is usable.

Book a demo now. 

Tags:

ISO 27001
deiterate-platform

Get your ducks in a row with de.iterate

Subscribe to our newsletter for all the latest tips, tricks and insights to improve your GRC program.

Related Articles

The Control Room: ISO 27001 Control Spotlight – 5.30 ICT Readiness for Business Continuity

The Control Room: ISO 27001 Control Spotlight – 5.30 ICT Readiness for Business Continuity

sallydeiteratecom May 19, 2026 4:34:24 PM
Your First 90 Days of ISO 27001: What Actually Needs to Happen

Your First 90 Days of ISO 27001: What Actually Needs to Happen

sallydeiteratecom Apr 21, 2026 3:38:13 PM
The Control Room: Control 5.18 – Access Rights

The Control Room: Control 5.18 – Access Rights

sallydeiteratecom Apr 21, 2026 2:49:45 PM