The ISO 27001 Clause 4.3 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS).
The 10 point ISO 27001 audit plan sets out what to audit, the challenges faced and the audit techniques to adopt.
Table of contents
- Defining the Scope Boundaries
- Considering Organisational Context
- Identifying Exclusions
- Documenting the Scope
- Interdependencies with Other Systems
- Alignment with Legal and Regulatory Requirements
- Inclusion of Supporting Processes
- Communication of the Scope
- Regular Review of the Scope
- Justification for Scope Changes
- Further Reading
Defining the Scope Boundaries
Clearly define the physical and logical boundaries of the ISMS, specifying what is included and excluded.
Challenges
Difficulty in defining clear boundaries, especially with complex or distributed systems. Overlooking interconnected systems or dependencies.
Audit Techniques
Review scope documentation, diagrams, and network maps. Interview personnel involved in defining the scope. Check for consistency with other documented information.
Considering Organisational Context
The scope should align with the organisation’s overall business objectives, structure, and risk appetite.
Challenges
Scope not reflecting the organisation’s strategic goals or being too narrow/broad for its risk profile.
Audit Techniques
Review business strategy documents, risk assessments, and management review minutes. Interview senior management about how the scope supports business objectives.
Identifying Exclusions
Document any exclusions from the ISMS scope and justify them.
Challenges
Difficulty in justifying exclusions, especially if they involve critical assets or processes. Potential for “scope creep” where excluded elements later become relevant.
Audit Techniques
Review the documented justifications for exclusions. Interview personnel about the rationale behind exclusions. Assess the potential impact of excluded elements on information security.
Documenting the Scope
The ISMS scope should be documented and readily available to relevant parties.
Challenges
Maintaining up-to-date scope documentation, especially when changes occur. Ensuring the document is clear, concise, and easily understood.
Audit Techniques
Inspect the scope document for completeness, accuracy, and clarity. Check version control and document accessibility.
Interdependencies with Other Systems
The scope should consider interdependencies with other systems, even if they are outside the ISMS boundary.
Challenges
Difficulty in identifying and managing dependencies, especially with third-party systems. Potential for vulnerabilities in connected systems to impact the ISMS.
Audit Techniques
Review network diagrams, data flow diagrams, and agreements with third parties. Interview personnel about system interconnections and dependencies.
Alignment with Legal and Regulatory Requirements
The scope should encompass all information and processes subject to relevant legal and regulatory requirements.
Challenges
Keeping up with changing legal and regulatory landscape. Ensuring all applicable requirements are identified and addressed within the scope.
Audit Techniques
Review legal and regulatory requirements relevant to the organisation. Check that the scope document reflects these requirements.
Inclusion of Supporting Processes
The scope should include supporting processes that are essential for information security (e.g., HR, physical security).
Challenges
Overlooking supporting processes that have an impact on information security. Defining the appropriate level of control for these processes.
Audit Techniques
Review process documentation and interview personnel from supporting functions. Assess the impact of these processes on information security.
Communication of the Scope
The ISMS scope should be communicated to all relevant stakeholders.
Challenges
Ensuring all stakeholders understand the scope and their responsibilities within it. Maintaining consistent communication about scope changes.
Audit Techniques
Review communication records and interview personnel about their understanding of the scope. Check for evidence of communication to relevant stakeholders.
Regular Review of the Scope
The ISMS scope should be reviewed regularly and updated as needed.
Challenges
Reviews being infrequent or not triggered by changes in the business or threat environment. Difficulty in managing scope changes effectively.
Audit Techniques
Examine the process for reviewing and updating the scope. Check review frequency and evidence of updates. Look for triggers for review (e.g., changes in business strategy, new threats).
Justification for Scope Changes
Any changes to the ISMS scope should be documented and justified.
Challenges
Failing to document and justify scope changes, leading to confusion and potential gaps in security.
Audit Techniques
Review records of scope changes and their justifications. Interview personnel about the reasons for changes and their impact on the ISMS.
Further Reading
ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS)
ISO 27001 Clause 4.3 Implementation Checklist
