ISO 27001 – What Your Marketing Team Needs to Know About Scope

You just heard from executives that your organization is ISO 27001 compliant! That’s fantastic! You’re a part of an elite group of companies that have gotten ISO certified like Google, Microsoft, Cisco Systems and Verizon. 

The ISO 27001 certification is increasingly associated with building brand reputation and customer loyalty. With so many high-profile data breaches in the news — most recently the Colonial Pipeline Ransomware attack — ISO 27001 compliance can make the difference between winning and losing new business, or even keeping your existing client base.

So, you immediately think about how this will put you above the rest of your competition and assuredly will have a whole new target market open to you. You start putting together a game plan to let the world know, with a big ISO certified badge of honor on your website, newsletters, emails, and snail-mail pamphlets. All those clients you had to turn away because they needed to work with an ISO certified organization will now come flocking back.

There is one problem, though.

Only a specific set of people, processes and systems were covered in the ISO certification scope. As a result, some parts of the organization’s systems and services may not be ISO certified. I’m sure you can imagine the slew of marketing compliance and customer issues that will come raining down on you when your customers realize the service you sold them isn’t ISO certified.

WHAT!?

The biggest misconception regarding ISO certification is that once your company obtains it, it applies to your entire organization. Unfortunately, that is not the case. ISO 27001 certification cannot be utilized to claim that any products are certified. So, what gets certified?

ISO verifies the people, processes, systems related to security of information that supports the products or services being provided by the organization. ISO 27001 certification applies to the company’s ISMS, which is a virtual box in which the company demonstrates consistent management of information security around people, processes, and systems as defined by the organization.

When it comes to ISO 27001, scoping is more flexible than other data-driven frameworks like HIPAA, HITRUST, or even PCI. These standards dictate the scope based on the data types you process or store, like credit cards, health records, or personally identifiable information (PII). 

With ISO, you can make the scope whatever you want it to be. For example, there have been instances where the ISMS scope only included the access and services coming through a single internet connection for an organization certified under ISO 27001. Taking that into consideration, organizations may not need to apply all 114 annexes (what ISO calls controls) enterprise wide.

ISO 27001 Scoping

To help understand this a little more, here is ISO scoping in a nutshell:

The standard focuses on what it calls the Information Security Management System (ISMS). This is a set of people, processes, and systems for systematically managing and securing an organization’s sensitive information. The goal of an ISMS is to minimize risk by proactively limiting the impact of a security incident.

An ISMS typically addresses employee behavior, processes, data, and systems. It can be targeted towards a particular type of data, such as customer data, or it can be implemented in a comprehensive way that becomes part of the company’s culture.

Scoping within the ISO 27001 standard is quite flexible so that it can apply to all organizations, regardless of type, size, or nature. Depending on the nature of vendor agreements, organizations can also indicate areas where responsibilities may be transferred to third-party vendors, such as a cloud provider like Azure, AWS, Google Cloud, or Oracle.

ISO 27001 dictates that scoping should focus on determining the key people, processes, and systems for establishing, implementing, maintaining, and continually improving the ISMS.

1. The scoping exercise should first determine what internal or external drivers require the organization to be ISO 27001 certified.
2. After determining drivers for the ISMS implementation, the next requirement is to consider the internal and external stakeholders that are interested in the success of the ISMS. 
   • Examples can include board members, executive team, sales or marketing team, customer, vendor, another framework that requires the company to align with an industry-accepted security framework, etc.
3. Lastly, the ISO 27001 standard requires the consideration of both internal and external interfaces and dependencies to the ISMS. 

The sales and/or marketing department will likely interface with the ISMS through a customer engagement role. Sales and marketing team members are responsible for appropriately representing the ISMS scope to customers. These folks could unintentionally allude to the fact that the entire organization is ISO 27001 compliant when only a subset of the company’s functions or locations are certified.

For marketing purposes, you’ll ultimately have to make sure that only the scope of services and applications that went through the process are mentioned when talking about ISO certified services.

Please reach out to us at connect@compliancepoint.com if you have any questions about ISO 27001. CompliancePoint’s ISO experts can walk you through the certification process and help you achieve your goals.