Frequently Asked Question

How to Fill the ISO 27001 Scope Information Sheet
Last Updated 7 months ago


This document is a simple, non-technical guide to help you fill the ISO/IEC 27001:2022 Scope & Information Gathering Excel sheet correctly.

You do not need prior knowledge of ISO or cybersecurity. The goal is only to capture accurate information about your business and IT usage, not to judge or audit you at this stage.


Important Before You Start

  • Please answer honestly and practically.
  • If something is not applicable, clearly mention “Not Applicable”.
  • If you are unsure, mention “Not Sure / To Be Confirmed”.
  • Do not leave fields blank unless explicitly instructed.

This sheet is used to:

  • Understand the scope of certification
  • Estimate effort, timeline, and cost
  • Avoid surprises during the audit stage

Understanding the Columns in the Excel Sheet

Question / Requirement Column

This column describes what information is being asked.

What to do:

  • Read the question carefully
  • Do not overthink technical terms
  • Focus on how things work in your organization today

Description / Guidance Column

This column explains why the question is asked or gives examples.

What to do:

  • Use this column as a hint, not as instructions
  • It helps you understand what type of answer is expected

Response / Answer Column (Most Important)

This is where you need to write your answer.

How to answer correctly:

  • Use simple sentences
  • Avoid marketing language
  • Write what is actually in place, not what is planned

Examples:

  • “We use Google Workspace for email”
  • “Employee laptops are password protected”
  • “No formal policy exists currently”

Honest answers help reduce rework later. Do not write what you think ISO expects

Remarks / Comments Column

Use this column for additional explanation.

When to use:

  • Partial implementation
  • Planned improvements
  • Temporary arrangements

Examples:

  • “Policy drafting in progress”
  • “Backup is manual, automation planned”

How to Answer Common Sections

Organization & Business Details

Fill basic company information such as:

  • Company name
  • Location(s)
  • Number of employees
  • Type of business

Use official records where possible.

Scope of Certification

This defines what part of the organization is covered under ISO 27001.

How to answer:

  • Mention specific departments, processes, or locations
  • Avoid saying “Entire Organization” unless required

Example:

“IT operations and customer data handling at Mumbai office”

IT Infrastructure

Describe what technology you use:

  • Laptops / desktops
  • Servers (if any)
  • Cloud services (Google Workspace, AWS, etc.)

You can answer in simple terms: “Employees use company laptops and cloud email”


Information Security Controls

These questions ask how you protect data.

Answer based on reality:

  • Antivirus: Yes / No
  • Passwords: Manual / Enforced
  • Access control: Who can see what

If something is not implemented, say so clearly.


Policies & Documentation

This checks whether formal policies exist.
If you do not have written policies:

  • Write “Not available currently”
  • This is normal for many organizations

Policies can be created later during implementation.

Backup, DR & Incident Handling

Explain how data issues are handled:

  • Is data backed up? (Yes/No)
  • Where is backup stored? (Cloud / External drive)
  • Any disaster recovery plan? (Yes/No)
  • Any incident response process? (Formal/Informal/None)

Guidelines:

  • Mention actual practice
  • Informal handling is acceptable to state

Example:

  • “Email data backed up automatically by Google”
  • “No formal disaster recovery plan”

Common Mistakes to Avoid

1.Leaving answers blank
2. Writing vague words like “Yes” without explanation
3. Overstating security maturity
4. Using technical jargon unnecessarily

If You Are Unsure What to Write

Use one of these safely:

  • “Not Applicable”
  • “Not Sure – confirmation required”
  • “Currently not implemented”

These are acceptable and expected answers.

Final Note

This document is only for understanding scope and effort.
It is not an audit and not a compliance check.

Accurate inputs here will:

  • Speed up the process
  • Reduce costs
  • Avoid confusion later

If you need help filling any section, you may contact us for clarification.
Transparency upfront makes ISO simple later.

Please Wait!

Please wait... it will take a second!