ISO 27001 Scope Statement Explained

Home / ISO/IEC 27001 Explained / ISO 27001 Scope Statement Explained

ISO 27001 Scope Statement

Scope statements are included on the ISO 27001 certificate. This statement informs your customers, prospects, and other stakeholders about the specific aspects of your organisation that are certified as protected by your Information Security Management System (ISMS).

Scope statements are typically documented concisely, ranging from a couple of lines to a short paragraph.

Definition

Scope Statement is defined as – The ISO 27001 scope statement defines the specific organisational activities, products, or services that are included within the boundaries of an organisation’s Information Security Management System (ISMS) and are therefore assessed for compliance with the ISO 27001 standard.

Purpose

The ISO 27001 scope statement serves several critical purposes:

Defines the Boundaries of Your ISMS:

It clearly outlines which parts of your organisation, information assets, and activities are included within the scope of your Information Security Management System (ISMS). This helps to focus your security efforts and resources.

Communicates Scope to Stakeholders:

The scope statement provides a clear and concise communication tool for stakeholders, including employees, management, customers, suppliers, and auditors. It ensures everyone understands the extent of your organisation’s commitment to information security.

Guides Risk Assessment and Control Implementation:

The scope statement informs your risk assessment process by defining the areas that need to be evaluated. It also guides the selection and implementation of appropriate controls to address the identified risks within the defined scope.

Ensures Audit Focus:

The scope statement provides a clear framework for the certification audit. Auditors can use the scope statement to verify that the organisation has implemented and maintained an effective ISMS within the defined boundaries.

Supports Compliance and Certification:

A well-defined scope statement is essential for demonstrating compliance with the ISO 27001 standard and achieving and maintaining ISO 27001 certification.

In essence, the scope statement acts as a foundational document for your entire ISO 27001 implementation. It provides a clear roadmap for your information security efforts and ensures that your organisation’s resources are effectively allocated to achieve and maintain an effective ISMS.

Ownership

The Information Security Officer is responsible for collaborating closely with the leadership, domain experts and department heads to establish an appropriate scope statement.

ISO 27001:2022 Clause 4.3

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System is one of the mandatory ISO 27001:2022 Clauses. It is a requirement of ISO 27001 and ISO 27001 certification and directly references ISO 27001 Scope Statements.

How to write a scope statement

10 Steps to Implement ISO 27001 Scope Statement

Define Organisational Boundaries:

Challenge:

  • Clearly defining the limits of the organisation, especially in complex or multi-national companies.

Solution:

  • Utilise organisational charts, legal documents, and stakeholder interviews to define the organisational structure.
  • Consider third-party relationships and their impact on information security.

Identify Core Products and Services:

Challenge:

  • Accurately determining the core offerings, especially in diverse organisations with multiple business units.

Solution:

  • Conduct workshops with key stakeholders (e.g., management, product owners, sales) to identify and document core products and services.
  • Utilise process mapping and data flow diagrams to visualise the flow of products and services.

Identify Supporting Functions:

Challenge:

  • Determining which departments and functions are essential for the delivery of core products and services.

Solution:

  • Analyse organisational structure and identify departments that directly or indirectly support core business functions.
  • Consider departments like IT, HR, finance, legal, and facilities.

Identify Information Assets:

Challenge:

  • Identifying all critical information assets, including data, systems, and intellectual property.

Solution:

  • Conduct a comprehensive information asset inventory, including data classification exercises.
  • Utilise data flow diagrams and business process mapping to identify information flows.

Identify Information Security Risks:

Challenge:

  • Accurately assessing the potential threats and vulnerabilities associated with in-scope products and services.

Solution:

  • Conduct a thorough risk assessment, considering internal and external threats.
  • Prioritise risks based on their likelihood and potential impact.

Determine Scope Exclusions:

Challenge:

  • Identifying activities, departments, or systems that will be explicitly excluded from the scope of the ISMS.

Solution:

  • Clearly document the rationale for any exclusions.
  • Ensure that excluded areas do not pose significant risks to the organisation’s information security.

Define Scope Statement:

Challenge:

Creating a concise and unambiguous scope statement that is easily understood by all stakeholders.

Solution:

  • Use clear and concise language.
  • Obtain input and approval from key stakeholders.
  • Regularly review and update the scope statement to reflect changes in the organisation or its environment.

Communicate Scope to Stakeholders:

Challenge:

  • Ensuring that all relevant stakeholders understand the scope of the ISMS and their roles and responsibilities within it.

Solution:

  • Conduct training sessions and awareness campaigns.
  • Distribute the scope statement to all employees.
  • Include the scope statement in relevant policies and procedures.

Obtain Management Approval:

Challenge:

Securing management approval for the defined scope of the ISMS.

Solution:

Present the proposed scope to management and address any concerns or questions.
Obtain formal approval from top management.

Document and Maintain:

Challenge:

  • Maintaining accurate and up-to-date documentation of the scope of the ISMS.

Solution:

  • Store the scope statement in a central location.
  • Regularly review and update the scope statement as needed.
  • Ensure that all changes to the scope are properly documented.

By carefully considering these steps and addressing the associated challenges, organisations can establish a well-defined scope for their ISMS, which is essential for successful ISO 27001 implementation and ongoing compliance.

10 Examples of Scope Statements

10 Examples of ISO 27001 Scope Statements

Simple & Broad:

“This ISMS covers all information assets and associated processes within [Organization Name] located at [Main Office Location] and all remote locations.”

Product/Service Focused:

“This ISMS covers the design, development, and delivery of [Product/Service Name] including all associated research, development, manufacturing, and customer support activities.”

Department Specific:

“This ISMS covers the IT department, including all IT infrastructure, applications, and data within the [Organization Name] network.”

Geographic Scope:

“This ISMS covers all [Organization Name] locations within the United States, including corporate headquarters, regional offices, and remote work locations.”

Exclusions Defined:

“This ISMS covers all departments within [Organization Name] except for [Excluded Department Name]. The scope excludes [Specific excluded activities, e.g., personal devices used for purely personal purposes].”

Supplier Inclusion:

“This ISMS includes [Key Supplier Name] for the provision of [Specific service, e.g., cloud services] and covers the exchange of information between [Organization Name] and [Supplier Name].”

Hybrid Work Environment:

“This ISMS covers all employees working from the main office, remote locations, and home offices, including the use of company-issued and personally-owned devices for work purposes.”

Project Specific:

“This ISMS covers the [Project Name] project, including all project-related activities, data, and systems, from initiation to completion.”

Healthcare Specific:

“This ISMS covers the provision of [Specific healthcare service, e.g., outpatient care] at [Clinic/Hospital Name], including patient data, medical records, and associated clinical systems.”

Manufacturing Specific:

“This ISMS covers the manufacturing and distribution of [Product Name], including all associated processes, equipment, and supply chain activities.”

Documenting Scope

ISO 27001 requires organisations to document the scope statement within the ISO 27001 Scope Template. This section helps establish the foundation for the Information Security Management System (ISMS) by understanding what is in scope and what is out of scope for the ISMS.

A clear and concise way to document the scope statement is in a Word document with the following structure:

Scope Statement

The scope of this Information Security Management System (ISMS) encompasses all products and services offered by [Organisation Name], as outlined in [link to product/service catalogue or relevant document]. The implementation of controls is detailed within the Statement of Applicability, version [version number].

Key Considerations:

  • Specificity: Use clear and concise language to describe the scope statement.
  • Regular Review: Regularly review and update the scope statement to reflect changes within the organisation and the evolving threat landscape.

By documenting the scope statement in this manner, organisations can gain a better understanding of the challenges they face and take proactive steps to mitigate the risks associated with these issues.

Updating Scope Statements

ISO 27001 scope statements should be updated regularly to ensure the effectiveness of your Information Security Management System (ISMS). Here’s a breakdown of when updates are crucial:  

Regular Intervals:

Annually: Conduct a thorough review of the scope statement at least once a year. This allows you to assess changes within the organisation, such as:

  • Organisational changes: Restructuring, mergers, acquisitions, or significant personnel changes.
  • Technological advancements: New technologies, software updates, or changes in the threat landscape.
  • Legal and regulatory changes: New laws, regulations, or industry standards impacting information security.
  • Business changes: New products, services, or business processes that may introduce new security risks.

Trigger Events:

  • Significant incidents: Following any security incident, conduct a thorough review of the scope statement to identify any contributing factors and implement necessary corrective actions.
  • Internal audits: During internal audits, review and update the scope statement based on the findings and recommendations of the audit team.
  • Management reviews: As part of the regular management review process, discuss and update the scope statement to ensure it remains relevant and accurate.
  • Changes to risk assessments: Whenever risk assessments are conducted or updated, review and update the scope statement to reflect any new or changed risks.

Best Practices:

  • Document all updates: Maintain a record of all changes made to the scope statement, including the date of the change, the reason for the change, and the person responsible for the change.
  • Communicate updates: Ensure that all relevant stakeholders are aware of any changes to the scope statement.
  • Involve key personnel: Involve key personnel from across the organisation in the review and update process to ensure a comprehensive and accurate assessment of the scope statement.

By regularly updating the the scope statement, organisations can ensure that their ISMS remains effective in addressing the evolving security challenges they face.

Benefits of Scope Statements

The benefits of ISO 27001 scope statements are significant:

Focuses Resources & Efforts

Benefit: Prevents wasting time and resources on areas outside the scope of certification.

Example: A software company focuses its ISMS on product development and customer data, excluding personal devices used for purely personal purposes. This allows them to concentrate resources on the most critical areas.

Enables Effective Risk Management

Benefit: Allows for targeted risk assessments and control implementation.

Example: A healthcare provider defines the scope to include patient records, medical devices, and clinical systems. This enables them to conduct risk assessments specific to these critical areas and implement appropriate safeguards.

Streamlines Audits

Benefit: Ensures audits focus on relevant aspects, improving efficiency and reducing audit time.

Example: A manufacturing company clearly defines its scope, excluding non-core administrative functions. This allows auditors to focus on the core production processes and associated information security risks.

Improves Communication & Transparency

Benefit: Clearly communicates the scope of information security efforts to stakeholders.

Example: A financial institution clearly defines the scope of its ISMS, including customer data, financial transactions, and employee data. This demonstrates a commitment to data security and builds trust with customers.

Supports Continuous Improvement

Benefit: Provides a foundation for ongoing improvement by regularly reviewing and updating the scope statement.

Example: A technology company regularly reviews its scope statement to incorporate new technologies, services, and emerging threats. This ensures that the ISMS remains relevant and effective in the evolving threat landscape.

By clearly defining the scope within your ISO 27001 implementation, you can achieve these benefits and ensure that your information security efforts are aligned with your organisation’s specific needs and objectives.

FAQ

What is the purpose of an ISO 27001 scope statement?

It defines the boundaries of your organisation’s Information Security Management System (ISMS), outlining which parts of your organisation, information assets, and activities are included and excluded.

What information should be included in the scope statement?

Specific departments, locations, products, services, systems, and information assets covered by the ISMS.
Any exclusions from the scope and the reasons for those exclusions.
Dependencies on external entities (e.g., suppliers, cloud providers).

Who should be involved in creating the scope statement?

Senior management, IT personnel, legal and compliance officers, risk managers, and other relevant stakeholders.

How is the scope statement documented?

It can be a separate document, integrated into the Information Security Policy, or referenced within other relevant documents.

When should the scope statement be reviewed and updated?

Regularly, such as during management reviews or when significant changes occur within the organisation (e.g., new products, mergers, acquisitions).

Can I change the scope of my ISMS after certification?

Yes, but significant changes may require additional audits or re-certification.

How does the scope statement impact risk assessment?

It guides the risk assessment process by focusing on the specific areas and information assets within the scope of the ISMS.

What are the benefits of a well-defined scope statement?

Improved resource allocation, enhanced risk management, streamlined audits, better communication with stakeholders, and increased confidence in information security.

What are the potential consequences of a poorly defined scope?

Wasted resources, ineffective risk management, increased audit scope, and potential non-compliance with ISO 27001.

How can I ensure my scope statement is effective?

Involve key stakeholders, conduct thorough reviews, and ensure the statement is clear, concise, and easy to understand.

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools