EN 
NL 
DE 
Describing a proper scope when certifying
The moment you want to get started on preparations to build a certification process with DigiTrust, it is mandatory to define and have available a clear scope. Simply put, you define the scope of the intended certification. Which activities, locations, products and services does the certification apply to? This description is the basis for the scope definition.
Tip: Include everything in the scope that should be within the certification. Things that do not belong to the scope are also not tested during audits. And those will therefore not be certified.
What is a scope?
Describing a scope is an essential part at the start of the certification process. A scope basically indicates the scope of the certification. The scope makes clear which aspects within the organisation the intended certification applies to. This description tells which activities and processes will be tested during the audit. The biggest advantage of a clear scope is that it provides clarity and focus in the certification process. In a good scope description, it is immediately clear what the certificate is for and what it applies to.
Define the scope
As part of your management system, it is mandatory to define the scope. That you need to do this is described in the standard at section 4.3. You should determine the boundaries and applicability of the management system to establish its scope. When defining the scope, take into account the internal and external issues identified in section 4.1 and the stakeholder requirements in section 4.2.
This is the basis for your management system to be certified. When submitting the certification application, you should already have the scope clear. This enables DigiTrust to assess whether the scope fits the standard to be certified.
Name what information you want to protect within which processes.
How do you determine whether processes or departments within your organisation fall within the scope and should be added to the scope? Basically, we can say that when activities and processes directly influence the primary products and/or services towards customers, they should be included in the scope. Support processes such as HR, Management, Facilities are often part of the management system and described in the scope, but it is not common to name them in the scope as well.
What is also possible is that you describe a partial scope. In your scope, you are allowed to describe part of your processes. These should then also be explicitly mentioned in the scope, so that it is clear that part of the organisation and processes have been certified.
Note this when describing a scope
There are several aspects to consider when developing a scope. Make sure you always use clear language. Avoid container terms, commercial texts, abbreviations and ambiguities as much as possible. The trick is to leave nothing to the imagination in a scope description and to explain everything very specifically.
Tip: It is often thought that a scope sentence, should consist of 1 sentence. This is incorrect. On the contrary, it is very wise to properly describe what falls in the scope of your management system.
Main scope and sub-scope
If you have a multiple sites and business units, there is always a certification holder. The certification holder has a so-called 'umbrella scope'. This scope should name all activities, of the underlying organisations.
The underlying companies, which fall within the same management system, may have a sub-scope. It is important to provide the name, address and scope for each organisation. The DigiTrust auditor will go through this with you during the audit.
A scope is used for this:
- The scope is stated on the ISO certificate.
- To establish which activities will be tested during the audit.
- As a result, DigiTrust knows what and where to assess and can therefore plan an audit schedule.
Scope description and ISO certification
ISO 27001 and NEN 7510 scope
The NCS 7510, which is the standard DigiTrust must adhere to when certifying on the NEN 7510. This standard states in section 8.2.1.c that the scope sentence must begin with; Information security related to activities related to processes/products) of certification;
This is an obligation in the case of a NEN 7510 certification. However, this does not apply to an ISO 27001 certification. Within DigiTrust, however, we use this as best practice so that there is uniformity in the scope sentences on the certificates.
ISO 9001 scope
The scope in an ISO 9001 certification must start directly with the processes within scope. Furthermore, in the scope, you must describe which parts of the standard do not apply and you must substantiate this. This is a specific ISO 9001 requirement. After all, ISO 9001 has no VVT (declaration of applicability). The standard elements to be excluded must not affect the conformity of your products or services and have a negative impact on customer satisfaction.
Ensure good scope
If you want to qualify for certification, it is mandatory to work out a proper scope. This is a requirement for all management system certifications; ISO 27001, NEN 7510, ISO 27701, ISO 9001.During the audit, the DigiTrust auditor will therefore review them and adjust them with you if necessary.
Do you have any questions about this? The DigiTrust team will be happy to advise you, so that you are well prepared for your certification audit.
