Emerging threats
Many organisations invest heavily in ISO 27001 and PCI DSS year after year — but few realise they may be paying for a scope that is larger, more complex, and more expensive than necessary.
If your scope hasn’t been reviewed recently, there’s a strong chance you’re overspending.
A common issue seen across the cyber security industry is that suppliers often:
• Define your scope at the start of the engagement
• Rarely revisit or reassess
• Continue auditing and maintaining that same scope year after year
Often, clients (understandably) assume their assessor is already working to optimise their scope — but without a formal reassessment process, it may not automatically happen.
As an organisation matures, their systems, controls, and processes evolve alongside it. What once required extensive coverage may now be simplified by improved security controls, automated tooling, or the introduction of new software. Yet many suppliers continue to audit against the original scope regardless.
What is ‘descoping’?
The process of bringing your compliance scope back into alignment with your current risk profile is known as ‘descoping’. It should typically be initiated by your assessor, and an effective descoping exercise typically involves close collaboration between the assessor and client to understand what has changed since the original scope was defined and whether all systems, assets and processes currently within scope still require coverage.
Done well, a descoping exercise will:
• Simplify your compliance scope by removing unnecessary complexities
• Reduce audit effort and administration time
• Lower ongoing consultancy costs
• Close security gaps and identify areas for improvement
• Expose genuine security risks and gaps in controls
• Strengthen your overall security posture
However, many suppliers don’t automatically do this. That's why it’s important to partner with an assessor who is willing to challenge the status quo and actively reassess your scope rather than simply renew what's already in place.
Below are three examples of what that looks like in practice.
Case studies
Example 1: Cyber insurance scope reduction
A charity organisation approaching its cyber insurance renewal was unsure how to navigate its insurer's security requirements. The insurer used a tiered risk model: organisations that could demonstrate a stronger security posture would receive a more favourable risk rating and, therefore, a lower premium.
Working closely with the client and their IT managed service provider, we mapped the insurer's specific requirements against the organisation's existing controls, identified the gaps and recommended practical, cost-effective solutions to close them. The charity completed its renewal questionnaire with confidence and presented a stronger security posture.
This resulted in a lower risk rating and ultimately reduced their annual premium by approximately £16k. The client managed to increase their IT budget, security posture, tooling and offset the implementation cost.
Example 2: PCI scope reduction
This client had a long-standing relationship with a previous Qualified Security Assessor (QSA), with annual PCI compliance assessments delivered over several years. Due to increasing consultancy costs, the client approached us for a competitive quotation. What we found when we looked below the surface was more significant than a pricing issue.
The existing programme had been built around maintaining compliance but not optimising it. The scope hadn't been formally challenged and several opportunities to reduce audit surface area had been overlooked.
Prior to the formal engagement, we took time to understand the client’s payment channels and flag where scope reduction might be possible. Once engaged, we carried out a full PCI scoping exercise across all payment environments, ran a gap analysis, identified areas for improvement and explored alternative environments that the previous assessor had not.
The result was a significant scope reduction for the client—achieved while retaining their existing payment environment—that cut the number of in-scope assets, reduced required QSA audit time and lowered ongoing consultancy spend. We also developed a three-year roadmap to transition to alternative payment solutions to further reduce the scope.
Example 3: ISO 27001 scope rationalisation and cost reduction
A retail client’s original ISO 27001 scope was defined too broadly, including several corporate systems, shared services and business functions that had no direct bearing on the certified service. This made their Information Security Management System (ISMS) harder to manage than it needed to be and it inflated audit effort and compliance costs.
We started by revisiting the original purpose of the certification and identifying which systems, processes and assets genuinely needed to remain in scope. Through discussions with stakeholders, asset reviews and data flow analysis, we were able to separate the critical services from non-essential areas. This included elements of HR, finance and shared internal platforms that had been captured in the original scope without clear justification.
From there, we redefined the ISMS boundary, updated the Statement of Applicability (SoA) and documented clearly how in-scope and out-of-scope environments interacted. Throughout, we made sure the descoping rationale was well-evidenced and justifiable from an auditor's perspective, not just a cost-cutting exercise.
The client's annual audit and compliance costs were previously running at approximately £75k, reflecting the original broad scope of systems, users and business functions. Following the descoping exercise, that figure reduced to around £55k per year—a saving of £20k annually. The streamlined scope also made the ISMS significantly easier to manage and maintain.
Think you might be paying too much for compliance?
Stagnant compliance programmes are common, especially once an annual review cycle is established and consistently unchallenged.
If your organisation hasn’t formally requested a review of your compliance scope in the last year, it’s worth considering:
• Has our scope changed since it was originally defined?
• Are there systems, environments or processes still in scope that no longer need to be?
• Have we asked our assessor for any recommendations to improve or optimise scope efficiency, where this is within their remit?
• Is our current assessor delivering the assessment in line with the Statement of Work as agreed?
• Are we maintaining certain areas in scope because they are genuinely required, or simply because they have always been included historically?
Our team works with organisations at every stage of their compliance journey from initial scoping through to annual assessments and long-term programme design. If you'd like an independent view of where your current compliance scope sits, or you’re interested in a comparative quotation, get in touch with us.
Related Insights
How to assess third-party risk: Supplier due diligence in 4 steps
What is third-party due diligence? Third-party due diligence is simply the process of evaluating the third parties you work with—like your suppliers and service providers—to ensure they meet your internal standards for security and compliance.
What the 2026 changes to Cyber Essentials Plus mean for you
The NCSC’s Cyber Essentials scheme is getting a substantial update in April 2026. Of course, the core principles will remain the same, but there are some practical elements that will change the reality of achieving or renewing your Cyber Essentials Plus certification.
ISO 27001 explained: What it can (and can't) do for your business
With the continued rise in cyber attacks—particularly those targeting supply chains—there’s been growing pressure within the industry for organisations to demonstrate information security to clients, partners and regulators.