Table of contents
ISO 27001 Scope
Scope outlines the specific information and areas within your organisation that will be protected and managed by your Information Security Management System (ISMS). This ensures a focused and effective implementation of ISO 27001.
Definition
Scope is defined as – the boundaries of your organisation’s Information Security Management System (ISMS).
Purpose
The primary purpose of ISO 27001 Scope is to:
- Focus your information security efforts: By clearly defining the boundaries of your ISMS, you can concentrate your resources and efforts on the most critical areas of your organisation. This prevents you from wasting time and resources on areas that are outside the scope of your certification.
- Ensure effective risk management: A well-defined scope helps you identify and address the specific information security risks associated with the areas covered by your ISMS.
- Demonstrate compliance: The scope statement clearly outlines the areas that will be assessed during the ISO 27001 certification audit. This ensures that the audit focuses on the relevant aspects of your organisation’s information security practices.
- Enhance stakeholder communication: A clear scope statement helps to communicate to stakeholders (e.g., customers, suppliers, investors) the extent of your organisation’s commitment to information security.
- Improve internal awareness: By clearly defining the scope, employees understand which areas of their work are covered by the ISMS and their responsibilities within the information security framework.
Ownership
The Information Security Officer is responsible for collaborating closely with the leadership, domain experts and department heads to establish the scope of the Information Security Management System.
ISO 27001:2022 Clause 4.3
ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System is one of the mandatory ISO 27001 Clauses. It is a requirement of ISO 27001 and ISO 27001 certification.
Identifying Scope
Determining the in-scope activities for your ISO 27001 implementation should logically follow the completion of Clause 4.1 (Understanding the Organisation and its Context) and Clause 4.2 (Understanding the Needs and Expectations of Interested Parties).
Key Considerations:
Organisational Scope: Consider the scope of the ISMS in terms of:
- Organisational Units: Subsidiaries, divisions, departments, and individual employees.
- Geographical Locations: Offices, remote locations, and mobile workers.
- Products and Services: Core offerings and supporting activities.
- Systems: IT systems, physical infrastructure, and operational processes.
Stakeholder Expectations:
- Powerful Stakeholders: Determine the expectations of key stakeholders (customers, regulators, investors) regarding information security.
- Potential Impact: Assess the potential impact of excluding certain areas of the organisation on stakeholders.
Control and Influence:
- Focus on Controllable Areas: Include areas where the organisation has significant control or influence over information security.
- Consider Dependencies: Account for dependencies on external entities (e.g., suppliers) that may impact information security.
“Whole Organisation” Approach:
- Industry Trends: Recognise the increasing emphasis on “whole organisation” scope by certification bodies like UKAS.
- Customer Expectations: Many customers expect organisations to have an ISMS that covers the entire organisation.
Practical Considerations:
- Time Investment: Defining the scope can be a time-consuming process, particularly in larger organisations with complex structures.
- Potential Challenges: Addressing potential political and practical challenges within the organisation is crucial for successful scope definition.
By carefully considering these factors, organisations can establish a well-defined scope for their ISMS that effectively addresses their information security needs and aligns with industry best practices.
Out-of-Scope
When defining the scope of your ISO 27001 ISMS, it’s crucial to clearly identify and document out-of-scope areas. This involves:
- Identifying Dependencies: Clearly define the interfaces and dependencies between your organisation’s activities and those performed by external entities (e.g., suppliers, third-party service providers).
- Data Center Outsourcing Example: If you outsource data centre services, the data centre’s internal security controls would typically fall outside your direct scope. However, you would still need to ensure that your service provider maintains an adequate ISMS and meets your organisation’s security requirements (as outlined in ISO 27001 Annex A 5.19 Information security in supplier relationships and ISO 27001 Annex A 5.23 Information security for use of cloud services).
- Physical Security Example: For physical security, if you rely on a landlord for certain security measures (e.g., building access control), these areas may be considered out of scope for your direct control. However, you would still need to address the impact of these external factors on your overall information security posture.
Considerations for Out-of-Scope Areas:
Impact on Staff:
Carefully consider the potential impact of out-of-scope areas on staff.
- Confusion and Risk: Inconsistent security practices across different areas can increase confusion and introduce additional risks.
- Alternative Approaches: Explore alternative approaches, such as treating remote workers differently from physical locations, to simplify the scope and minimise potential confusion.
Scope Changes:
- Material Changes: Be aware that significant changes to the scope of your ISMS may require additional audits or re-certification.
- Careful Planning: Plan for potential scope changes in advance and consider the potential impact on your certification status.
By carefully defining in-scope and out-of-scope areas and managing dependencies with external entities, you can establish a clear and manageable scope for your ISMS while ensuring that your organisation’s information security posture remains robust.
ISO 27001 Requirements Regarding the Scope of the ISMS
ISO 27001 mandates specific considerations when defining the scope of your Information Security Management System (ISMS):
Context of the Organisation:
The scope must take into account both internal issues and external issues as defined in Clause 4.1. For a detailed explanation, refer to this article: “ISO 27001 Clause 4.1 Understanding The Organisation And Its Context.”
Interested Parties:
The scope must address the needs and expectations of all identified interested parties, as outlined in Clause 4.2. For further guidance, refer to this article: “ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties?”
Interfaces and Dependencies:
The scope must consider the interfaces and dependencies between the ISMS and external entities, such as suppliers, customers, and regulatory bodies.
Documenting Scope
ISO 27001 requires organisations to document scope within the ISO 27001 Scope Template. This section helps establish the foundation for the Information Security Management System (ISMS) by understanding what is in scope and what is out of scope for the ISMS.
Include Supporting Information:
It is not a requirement of the standard but for clarity consider the use of supporting documentation for the scope. This can include
- Organisation charts
- Technical documentation
- Geographic information
Recommended Structure:
A clear and concise way to document scope is in a Word document with the following structure:
Scope Statement
The scope of this Information Security Management System (ISMS) encompasses all products and services offered by [Organisation Name], as outlined in [link to product/service catalogue or relevant document]. The implementation of controls is detailed within the Statement of Applicability, version [version number].
Products and Services
In Scope: [Detailed description of the products and services that are in scope]
Out Of Scope: [Detailed description of the products and services that are out of scope]
Locations
In Scope: [Detailed description of the physical locations and virtual locations that are in scope]
Out of Scope: [Detailed description of the physical locations and virtual locations that are out of scope]
Department / People
In Scope: [Detailed description of the departments, teams and people that are in scope]
Out of Scope: [Detailed description of the departments, teams and people that are out of scope]
Technology
In Scope: [Detailed description of the technologies, including supporting documentation, that are in scope]
Out of Scope: [Detailed description of the technologies, including supporting documentation, that are out of scope]
Network
In Scope: [Detailed description of the networks and devices, including network diagrams, that are in scope]
Out of Scope: [Detailed description of the networks and devices, including network diagrams, that are out of scope]
Key Considerations:
- Specificity: Use clear and concise language to describe scope.
- Regular Review: Regularly review and update the scope to reflect changes within the organisation and the evolving threat landscape.
By documenting scope in this manner, organisations can gain a better understanding of the challenges they face and take proactive steps to mitigate the risks associated with these issues.
Updating Scope
ISO 27001 scope should be updated regularly to ensure the effectiveness of your Information Security Management System (ISMS). Here’s a breakdown of when updates are crucial:
Regular Intervals:
Annually: Conduct a thorough review of scope at least once a year. This allows you to assess changes within the organisation, such as:
- Organisational changes: Restructuring, mergers, acquisitions, or significant personnel changes.
- Technological advancements: New technologies, software updates, or changes in the threat landscape.
- Legal and regulatory changes: New laws, regulations, or industry standards impacting information security.
- Business changes: New products, services, or business processes that may introduce new security risks.
Trigger Events:
- Significant incidents: Following any security incident, conduct a thorough review of scope to identify any contributing factors and implement necessary corrective actions.
- Internal audits: During internal audits, review and update scope based on the findings and recommendations of the audit team.
- Management reviews: As part of the regular management review process, discuss and update the scope to ensure it remains relevant and accurate.
- Changes to risk assessments: Whenever risk assessments are conducted or updated, review and update the scope to reflect any new or changed risks.
Best Practices:
- Document all updates: Maintain a record of all changes made to the scope, including the date of the change, the reason for the change, and the person responsible for the change.
- Communicate updates: Ensure that all relevant stakeholders are aware of any changes to the scope.
- Involve key personnel: Involve key personnel from across the organisation in the review and update process to ensure a comprehensive and accurate assessment of scope.
By regularly updating the scope, organisations can ensure that their ISMS remains effective in addressing the evolving security challenges they face.
Benefits of scope
The benefits of identifying and documenting ISO 27001 scope are significant:
Focuses Resources and Efforts:
A clearly defined scope prevents you from wasting time and resources on areas that are outside the scope of your certification. This allows you to concentrate your efforts on the most critical areas for your organisation’s information security.
Enables Effective Risk Management:
By identifying the specific areas within scope, you can conduct targeted risk assessments and implement appropriate controls to address the most significant threats. This helps you prioritise your security efforts and allocate resources effectively.
Ensures Audit Efficiency:
A well-defined scope ensures that the certification audit focuses on the relevant aspects of your organisation’s information security practices. This streamlines the audit process and minimises the time and resources required.
Enhances Stakeholder Communication:
A clear scope statement helps to communicate to stakeholders (e.g., customers, suppliers, investors) the extent of your organisation’s commitment to information security. This builds trust and confidence among stakeholders.
Improves Internal Awareness:
By clearly defining the scope, employees understand which areas of their work are covered by the ISMS and their responsibilities within the information security framework. This promotes a stronger security culture within the organisation.
FAQ
The ISO 27001 scope defines the boundaries of your organisation’s Information Security Management System (ISMS). It outlines the specific areas of your organisation, information assets, and activities that are covered by the ISMS.
A well-defined scope helps focus resources, ensures effective risk management, streamlines audits, enhances stakeholder communication, and improves internal awareness.
Key considerations include organisational units, geographical locations, products and services, systems, information assets, stakeholder expectations, and dependencies on external entities.
Conduct thorough risk assessments, analyse stakeholder needs, and consider the organisation’s overall business objectives.
Yes, you can exclude certain areas from the scope of your ISMS. However, you must clearly document the reasons for exclusion and ensure that these exclusions do not significantly impact the overall security posture of the organisation.
The scope should be clearly documented in a dedicated document, integrated into your Information Security Policy, or referenced within other relevant documents.
Key stakeholders should be involved, including senior management, IT personnel, legal and compliance officers, and representatives from relevant departments.
The scope should be reviewed and updated regularly to reflect changes in the organisation, its business environment, and the threat landscape.
Significant changes to the scope may require additional audits or re-certification to maintain compliance with ISO 27001.
Yes, using an ISO 27001 Scope Template can help you efficiently define and document the scope of your ISMS.