I am actually in a midst of doing something similar and I am using ISO 27001 as a guideline. Due to the sheer size of the organisation, ISO 27001 seems appropriate as it covers all areas that needs to be taken into consideration for an enterprise wide assessment of this sort.

Methology:
- Interview stakeholders based on 27001
- Review existing policies
- Assess/rate risks
- Next Steps…

Having said that, I certainly won’t use all sections of 27001 if it is not applicable – especially for a SMB. I suppose it all depends on the situation and the scope.

ISO 27001 is mainly chosen as a starting point. I find most companies don’t know where to start or even know what frameworks to use. But having explained to them what ISO 27001 encompasses, that it is not associated with any specific industry, AND that they don’t necessary have to be certified against it, which translates to no/less $$$ to management, they seemed pretty comfortable using ISO 27001. It is all about good security practices (and good governance) at the end of the day and that is a great starting point.

In regards to scope/situation, I was refering to SMBs where they might *think* they don’t have a physical security issue, they dont need BCP, etc. I guess that is when those sections are left out (or indicated in the report that it was not considered) or toned down a lot… does that make sense? No one wants to pay for a report on what they don’t do well!