Scope preparation is never an easy task. It is prudent to plan this early on.

With ISO/IEC 27701: 2019 the addition of PII is important. However, the author has found that occasionally the organisation seeking extended scope forgets that it may well be a data controller and processor. Indeed, it may only be a limited part of the organisation that seeks scope enhancement.

By creating a boundary diagram this helps visually determine the interested parties and what should and should not be within scope.

An organisation holding ISO 27001: 2013 may have a scope for the entirety of its operations but may only decide on a limited scope extension for PII under ISO 27701: 2019.

We encourage early discussions with the selected certification body for the planned scope extension sought.

For further information and to book your ISO 27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: [email protected]

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.