What is it?
It’s all about defining the boundaries of your security system. You’re figuring out what information, processes, people, technology, and physical locations are included in your ISO 27001 project. This is a strategic decision that makes your security efforts focused and manageable. It’s a key part of the ISO 27001 standard.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Scope Template
- Why do you need it?
- When do you need it?
- Who needs it?
- Where do you need it?
- How do you write it?
- How do you implement it?
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How can the ISO 27001 toolkit help?
- Which other information security standards need it?
- What are the relevant ISO 27001:2022 controls?
- ISO 27001 Determining The Scope Of The Information Security Management System FAQ
Applicability to Small Businesses, Tech Startups, and AI Companies
The concept is the same for everyone, but the scope itself will be very different depending on your business.
- Small Businesses: You can often include your entire business in the scope. It’s usually small and focused, so it’s practical to protect everything.
- Tech Startups: You might choose to scope your ISMS to just your core product, like a specific app or software platform, and the team that supports it. This lets you get certified faster and focus on what’s most important.
- AI Companies: Your scope will likely focus on your AI models, the data you use to train them, and the infrastructure that supports them. You’ll also need to include the people who manage this data.
ISO 27001 Scope Template
The ISO 27001:2022 Scope Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why do you need it?
You need this because you can’t protect everything at once, especially if you’re a big company. Defining your scope makes your project manageable and your security efforts effective. It makes sure you’re focusing on what’s most critical and not wasting time on things that aren’t a priority for your business. It also shows an auditor exactly what your certification covers.
When do you need it?
You do this right after you understand your organisation’s context and the needs of your interested parties. It’s step three in your ISO 27001 project. You should do it early on and keep it in mind throughout the whole process.
Who needs it?
Top management needs to approve the scope. The people who are responsible for the different parts of the business included in the scope also need to be involved. This could be your IT manager, a product owner, or a facility manager.
Where do you need it?
This is a formal document that you’ll keep with the rest of your ISO 27001 paperwork. It’s a core piece of your ISMS documentation and will be reviewed by an auditor. You should have it in a central, accessible location.
How do you write it?
Start by writing a clear statement that says what’s in and what’s out. For example, “The scope of the ISMS covers the development, maintenance, and support of the ‘X’ software application and the associated customer data.” You should also list the physical locations, teams, and processes included. Make sure you also explain why you’ve excluded anything.
How do you implement it?
Once you’ve decided on your scope, you need to use it as a guide for your whole project. All your security policies, risk assessments, and controls will only apply to the things within your scope. It becomes your rulebook for what you’re protecting and what you’re not.
Examples of using it for small businesses
For a Small Business (e.g., a web design agency): Your scope might be “The ISMS covers all business operations, including web design, hosting, and client data management at our single office location.”
Examples of using it for tech startups
For a Tech Startup (e.g., a SaaS company): Your scope could be “The ISMS applies to the development, hosting, and customer support for our primary product, ‘CloudSync,’ and the employees who work on it.” You might exclude your marketing team’s laptops.
Examples of using it for AI companies
For an AI Company (e.g., a natural language processing service): Your scope might be “The ISMS covers the development of our ‘ChatBot’ AI model and the handling of the training and user data within our cloud infrastructure.”
How can the ISO 27001 toolkit help?
The ISO 27001 toolkit includes a template for a scope document. This can save you a lot of time and help you make sure you include all the required information. The templates usually prompts and examples to help you write a comprehensive scope.
Which other information security standards need it?
This idea of defining a scope is part of the Annex SL framework, which is a common structure for many ISO management system standards. So, you’ll see this requirement in standards like ISO 9001 (Quality Management) and ISO 14001 (Environmental Management). It’s a standard practice for managing a system and also applicable to:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
What are the relevant ISO 27001:2022 controls?
This step doesn’t have a direct control number. It is an ISO 27001 Clause – ISO 27001:2022 Clause 4.3: Determining The Scope Of The Information Security Management System. However, the scope you define will determine which controls you need to implement. All controls listed in the standard are potentially relevant, but your scope will help you decide which ones are a priority.
For Small Businesses:
You’ll likely need to address a wide range of basic controls, but at a smaller scale. This includes
- ISO 27001:2022 Annex A 5.1: Policies for Information Security
- ISO 27001:2022 Annex A 5.12 Classification Of Information
For Tech Startups:
Since your scope is often focused on a product, you’ll want to focus on
- ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships
- ISO 27001:2022 Annex A 8.28: Secure Coding
- ISO 27001:2022 Annex A 8.29: Security Testing in Development and Acceptance
For AI Companies:
With your focus on data and models, you’ll need controls for data integrity and access. This includes
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services
- ISO 27001:2022 Annex A 8.8: Management of Technical Vulnerabilities
- ISO 27001:2022 Annex A 8.9: Configuration Management
ISO 27001 Determining The Scope Of The Information Security Management System FAQ
Yes, but it’s a formal process that needs to be documented and approved by management.
You can include all of them, or just a few. It’s your choice, but you must justify it.
A smaller scope is often easier to manage and can get you certified faster. A bigger scope shows a broader commitment to security.
You should base this on your context and the needs of your interested parties. Focus on the parts of your business that are most critical or have the highest risk.
Yes, you can. Just be sure you have a clear reason for doing so.
No, it can also be logical, like “all data on our customer database.”
Your auditor will want to see it, and it’s a good idea to communicate it to your employees.
Your scope will be logical, covering your cloud systems, the data they hold, and the people who manage them.
The scope tells you what to include in your risk assessment. It’s the “what” before the “how.”
It’s often shared in a company’s statement of applicability, which you can provide to customers.
That’s a great time to review your scope and see if you need to expand it.
Yes, this is a very common strategy for tech companies.
No, you need to review it regularly to ensure it still fits your business.
Making it too vague. It needs to be very clear and specific.
Yes, it’s a critical decision that needs leadership buy-in.
