High Table Logo Website

ISO27001:2022

ISO27001 Clauses
ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 Planning Of Changes

ISO 27001 Clause 7.1 Resources

ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

ISO27001 Organisation Controls

ISO27001 Annex A 5.1 Policies for information security

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO27001 Annex A 5.3 Segregation of duties

ISO27001 Annex A 5.4 Management responsibilities

ISO27001 Annex A 5.5 Contact with authorities

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001 Annex A 5.7 Threat intelligence

ISO27001 Annex A 5.8 Information security in project management

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001 Annex A 5.11 Return of assets

ISO27001 Annex A 5.12 Classification of information

ISO27001 Annex A 5.13 Labelling of information

ISO27001 Annex A Cotrol 5.14 Information transfer

ISO27001 Annex A 5.15 Access control

ISO27001 Annex A 5.16 Identity management

ISO27001 Annex A 5.17 Authentication information

ISO27001 Annex A 5.18 Access rights

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001 Annex A 5.21 Managing information security in the ICT supply chain

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001 Annex A 5.28 Collection of evidence

ISO27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A Cotrol 5.30 ICT readiness for business continuity

ISO27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001 Annex A 5.33 Protection of records

ISO27001 Annex A 5.34 Privacy and protection of PII

ISO27001 Annex A 5.35 Independent review of information security

ISO27001 Annex A 5.36 Compliance with policies and standards for information security

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001 People Controls

ISO27001 Annex A 6.1 Screening

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001 Annex A 6.4 Disciplinary process

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001 Annex A 6.7 Remote working

ISO27001 Annex A 6.8 Information security event reporting

ISO27001 Physical Controls

ISO27001 Annex A 7.1 Physical security perimeter

ISO27001 Annex A 7.2 Physical entry controls

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001 Annex A 7.6 Working in secure areas

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001 Annex A 7.10 Storage media

ISO27001 Annex A 7.11 Supporting Utilities

ISO27001 Annex A 7.12 Cabling Security

ISO27001 Annex A 7.13 Equipment Maintenance

ISO27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment

ISO27001 Technical Controls

ISO27001 Annex A 8.1 User Endpoint Devices

ISO27001 Annex A 8.2 Privileged Access Rights

ISO27001 Annex A 8.3 Information Access Restriction

ISO27001 Annex A 8.4 Access To Source Code

ISO27001 Annex A 8.5 Secure Authentication

ISO27001 Annex A 8.6 Capacity Management

ISO27001 Annex A 8.7 Protection Against Malware

ISO27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO27001 Annex A 8.9 Configuration Management 

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Annex A 8.11 Data Masking

ISO27001 Annex A 8.12 Data Leakage Prevention

ISO27001 Annex A 8.13 Information Backup

ISO27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO27001 Annex A 8.15 Logging

ISO27001 Annex A 8.16 Monitoring Activities

ISO27001 Annex A 8.17 Clock Synchronisation

ISO27001 Annex A 8.18 Use of Privileged Utility Programs

ISO27001 Annex A 8.19 Installation of Software on Operational Systems

ISO27001 Annex A 8.20 Network Security

ISO27001 Annex A 8.21 Security of Network Services

ISO27001 Annex A 8.22 Segregation of Networks

ISO27001 Annex A 8.23 Web Filtering

ISO27001 Annex A 8.24 Use of Cryptography

ISO27001 Annex A 8.25 Secure Development Life Cycle

ISO27001 Annex A 8.26 Application Security Requirements

ISO27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO27001 Annex A 8.28 Secure Coding

ISO27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO27001 Annex A 8.30 Outsourced Development

ISO27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO27001 Annex A 8.32 Change Management

ISO27001 Annex A 8.33 Test Information

ISO27001 Annex A 8.34 Protection of information systems during audit testing

ISO 27001 Jumpstart Kit
ISO 27001 Certification Kit
ISO 27001 Consultant Toolkit

Home / ISO 27001 Clauses / The Ultimate Guide to ISO 27001 Clause 4.3: Determining The Scope Of The Information Security Management System

The Ultimate Guide to ISO 27001 Clause 4.3: Determining The Scope Of The Information Security Management System

Last updated Sep 10, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Determining The Scope Of The Information Security Management System

ISO 27001 Determining The Scope Of The Information Security Management System

The biggest challenge for those new to ISO 27001 is getting the scope right.

ISO 27001 Determining The Scope Of The Information Security Management System is the requirement to define the scope of the information security management system (ISMS).

The scope clarifies:

  • Which parts of the organisation are included in the ISMS
  • The boundaries of the organisation’s ISO 27001 certification.

In ISO 27001 this is known as ISO27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System: It is one of the mandatory ISO 27001 clauses.

Key Takeaways

  • The scope should reflect what you want to be shown on your ISO 27001 certificate
  • Narrowing scope will remove undue cost and bureaucracy
  • Getting the scope wrong can cost a lot of time and lot of money

Table of contents

What is ISO 27001 Clause 4.3?

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System is an ISO 27001 clause that requires you to define the scope of your information security management system.

Purpose and Definition

The purpose of ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management is to ensure a clear and well-defined scope for your Information Security Management System (ISMS) and your subsequent ISO 27001 certification. This clarity helps establish:

  • Which parts of the organisation are included within the boundaries of the ISMS.
  • The specific areas that will be assessed during the ISO 27001 certification audit.

By defining the scope, you can ensure that your ISMS is focused on the most critical areas and that your certification accurately reflects the extent of your information security efforts.

The ISO 27001 standard defines ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management as:

The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2;
c) interfaces and dependencies between activities performed by the organization, and those that are
performed by other organizations.
The scope shall be available as documented information.

ISO27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
  1. Establish scope by determining the boundaries and applicability of the information security management system: There is a cost in time, resource and money to implement ISO 27001 so it makes sense to concentrate on protecting the things that your clients are expecting to you to protect and the things that represent the biggest risk to you. I will show you how to do this later in the article.
  2. Consider your internal and external issues: When you set the scope you are making sure that you have addressed the internal and external issues that we covered in ISO 27001 Clause 4.1 Understanding the Organisation and It’s Context.
  3. Consider the needs an expectations of interested parties: The interested parties and their requirements which we covered in ISO 27001 clause 4.2 Understanding the Needs and Expectations of Interested Parties will be reviewed on if, and how, they affect the scope you are setting.
  4. Consider what you do verses what other people do for you: Third parties will be used a lot and those third parties will be responsible for the areas that they control so you will define the interfaces and dependencies between activities you do and activities that they do.
ISO 27001 Toolkit
Get the ISO 27001 Certification Kit >

ISO 27001 Clause 4.3 Explained: A Complete Guide

In the video ISO 27001 Determining Scope Of The ISMS Explained – ISO27001:2022 Clause 4.3 I show you how to implement it and how to pass the audit.

How to Define Your ISMS Scope: A Step-by-Step Guide

Scope is vitally important for your ISO 27001 Certification. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate.

Determining your scope effectively can be challenging. To assist you, we’ve created a comprehensive guide: How To Define ISO 27001 Scope.This guide provides clear, step-by-step instructions to help you establish a well-defined scope.

We’ve included an ISO 27001 Scope Statement Template within our ISO 27001 Toolkit. This template can be used as a valuable resource to assist in the development of your official scope statement.

Based on practical, real world implementations and experience this is how to implement ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS):

Step 1: Define Organisational Boundaries

Clearly identify where the organisation’s boundaries lie, especially in complex or multi-national organisations.

  • Utilise organisational charts, legal documents, and stakeholder interviews to define the organisational structure.
  • Consider third-party relationships and their impact on information security.

Step 2: List all your products and services

List out all of the products and services that you have and document them.

  • Conduct workshops with key interested parties (e.g., management, product owners, sales) to identify and document core offerings.
  • Utilise process mapping and data flow diagrams to visualise the flow of products and services.

Step 3: Ask your customers which products and services they expect to be in scope

From your list of products and services ask your customers which of them they expect to be in scope. Review current contracts for any scope requirements.

Step 4: Ask your leadership team which products and services they expect to be in scope

From your list of products and services ask your leadership team which of them they expect to be in scope.

Step 5: Ask the list of interested parties which products and services they expect to be in scope

From your list of products and services ask your interested parties which of them they expect to be in scope.

Step 6: Document the list of products and services that are in scope

Taking the input from customers, leadership and interested parties document the list of products and services that are in scope.

Step 7: Review your internal and external issues

Review the products and services that are in scope against the list of internal and external issues to determine if their are any direct issues or changes to issues.

Step 8: Confirm the list of of products and services that are in scope

Agree and sign off the scope with the senior leadership team and document the agreement.

Step 9: Identify Supporting Functions

Determine which departments and functions are critical to the delivery of core products and services.

  • Analyse organisational structure and identify departments that directly or indirectly support core business functions.
  • Consider departments like IT, HR, finance, legal, and facilities.

Step 10: Determine Scope Exclusions

Identify activities, departments, or systems that will be explicitly excluded from the scope of the ISMS.

  • Clearly document the rationale for any exclusions.
  • Ensure that excluded areas do not pose significant risks to the organisation’s information security.

Step 11: Document and understand the ISO 27001 Scope Boundaries

Identifying the people, premises, technology, and suppliers that directly support the in-scope products and services and understand the interfaces between in scope entities and out of scope entities as well as with third party organisations.

Step 13. Write your ISO 27001 Scope Statement

Summarise your scope in the required ISO 27001 scope statement.

  • Use clear and concise language.
  • Obtain input and approval from key interested parties.
  • Regularly review and update the scope statement to reflect changes in the organisation or its environment.

Step 14: Communicate Scope to Stakeholders

Ensure that all relevant stakeholders understand the scope of the ISMS and their roles and responsibilities within it.

  • Conduct training sessions and awareness campaigns.
  • Distribute the scope statement to all employees.
  • Include the scope statement in relevant policies and procedures.

Step 15: Obtain Management Approval

Secure management approval for the defined scope of the ISMS.

  • Present the proposed scope to management and address any concerns or questions.
  • Obtain formal approval from top management.

Step 16. Verify the scope statement with the certification body (optional)

Share your ISO 27001 scope statement with the external ISO 27001 certification for feedback and confirmation.

ISO 27001 Scope Statement Example

An example ISO 27001 Scope Statement:

The scope of this Information Security Management System (ISMS) encompasses all products and services offered by [Organisation Name], as outlined in [link to product/service catalogue or relevant document]. The implementation of controls is detailed within the Statement of Applicability, version [version number].

In practice:

A practical example, taken directly from our ISO 27001 certification, is:

Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 2.1

High Table ISO 27001 Scope Statement

ISO 27001 Scope Template

The ISO 27001 Scope Template provides a structured framework for defining the scope of your Information Security Management System (ISMS), fully meeting the requirements of ISO 27001 Clause 4.3.

It was designed and built with these key features:

  • Pre-filled with common scope examples: Provides a solid foundation and saves you time.
  • Available as an individual download: Offers flexibility for specific needs.
  • Included in the internationally acclaimed ISO 27001 Toolkit: Access a comprehensive suite of templates and resources to streamline your entire implementation process.
ISO 27001 Scope Document Template

How to pass the ISO 27001 Clause 4.3 audit

To successfully pass an audit of ISO 27001 Clause 4.3, a crucial step in achieving ISO 27001 Certification, you must ensure you have implemented the mandatory ISO 27001 documents and ISO 27001 polices. You are going to need to put in place ISO 27001 controls to:

  • Document an ISO 27001 Scope Statement
  • Implement the ISO 27001 standard

What an auditor looks for

The auditor will assess several key areas related to Clause 4.3 during their audit:

1. That you have documented your ISO 27001 scope

You must have a documented scope for your Information Security Management System (ISMS). The auditor will check for the existence of a documented scope statement. Utilising the ISO 27001 Scope Template can simplify this process.

2. That you have implemented the scope

You must have implemented the ISO 27001 standard within the defined scope. The auditor will assess whether the requirements of the ISO 27001 standard have been applied effectively to the identified products, services, and areas included within the scope.

3. That the scope was approved

Your documented scope must be formally approved. The auditor will check for evidence of scope approval, such as documented approvals and signatures from relevant management personnel.

How to audit ISO 27001 Clause 4.3

This audit checklist is a guide on how to conduct an internal audit of ISO 27001 scope based on what the ISO 27001 certification auditor will audit. It gives practical audit tips including what to audit and how.

1. Check that scope boundaries are defined

  • Review scope documentation, diagrams, and network maps.
  • Interview personnel involved in defining the scope.
  • Check for consistency with other documented information.

2. Check that the scope is aligned with the organisation’s goals

  • Review business strategy documents, risk assessments, and management review minutes.
  • Interview senior management about how the scope supports business objectives.

3. Review scope exclusions

  • Review the documented justifications for exclusions.
  • Interview personnel about the rationale behind exclusions.
  • Assess the potential impact of excluded elements on information security.

4. Ensure the scope is documented

  • Inspect the scope document for completeness, accuracy, and clarity.
  • Check version control and document accessibility.

5. Check interdependencies between systems

  • Review network diagrams, data flow diagrams, and agreements with third parties.
  • Interview personnel about system interconnections and dependencies.
  • Review legal and regulatory requirements relevant to the organisation.
  • Check that the scope document reflects these requirements.

7. Evidence the inclusion of supporting processes

  • Review process documentation and interview personnel from supporting functions.
  • Assess the impact of these processes on information security.

8. Ensure that the scope was communicated

  • Review communication records and interview personnel about their understanding of the scope.
  • Check for evidence of communication to relevant stakeholders.

9. Gain evidence of scope reviews

  • Examine the process for reviewing and updating the scope.
  • Check review frequency and evidence of updates.
  • Look for triggers for review (e.g., changes in business strategy, new threats).

10. Review justifications for scope changes

  • Review records of scope changes and their justifications.
  • Interview personnel about the reasons for changes and their impact on the ISMS.

Top 3 ISO 27001 Clause 4.3 Mistakes and How to Fix Them

These are the top 3 mistakes people make for ISO 27001 Scope:

1. Defining an Overly Broad Scope

Including unnecessary areas within the scope of your ISMS can lead to wasted time, resources, and unnecessary costs. Carefully consider and document the specific products, services, and areas that require information security controls.

2. Neglecting Client Expectations

Failing to consider client expectations and requirements within the scope of your ISMS can diminish the value of your certification. Involve clients in the scope definition process to ensure your ISMS addresses their specific needs and concerns.

3. Poor Scope Management

Inadequate documentation, version control, and review of the scope statement can lead to confusion and non-compliance. Maintain accurate and up-to-date records of the scope statement, implement a robust version control system and regularly review and update the scope statement to reflect changes in the organisation or its environment.

How can an ISO 27001 toolkit help with ISO 27001 Clause 4.3?

An ISO 27001 toolkit gives you the tools you need to meet the rules in Clause 4.3 quickly and correctly.

1. It Offers a Clear Plan

Instead of beginning from nothing, a toolkit offers a ready-made plan for deciding your ISMS scope. It often includes a “Scope and Boundaries Document” that asks you to think about all the necessary parts of the clause. This helps you avoid missing key items like certain business groups, physical spots, or outside helpers.

2. It Saves Time and Effort

Using ready-to-use, flexible forms helps you save a lot of time and resources. Writing a scope document from scratch takes a lot of time. The forms provide the layout, so you just fill in your company’s details, like which departments, goods, or services are included.

3. It Ensures All Parts Are Included and Rules Are Followed

A good toolkit helps make sure your scope paperwork is full and can be checked. The forms are often made by experts and match the ISO 27001 rules. They have spots to write down why you left anything out, which is key for an auditor. Some kits even come with checklists to confirm all the rules of Clause 4.3 have been met.

4. It Connects to Other Rules

Clause 4.3 is directly linked to Clauses 4.1 and 4.2. Many toolkits offer combined documents or tips that show you how to connect what you found out about the “context of the organization” (Clause 4.1) and “interested parties”(Clause 4.2) right into your scope plan. This makes sure the first steps of your ISO 27001 rollout are logical and easy, making the whole process smoother.

ISO27001:2022 Toolkit

ISO 27001 Clause 4.3: Determining The Scope Of The Information Security Management System FAQ

Should the entire organisation be in scope for ISO 27001 certification?

No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.

What are the ISO 27001:2022 Changes to Clause 4.3?

Not a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?

What is the ISO 27001 scope?

The ISO 27001 scope defines the boundaries of your organisation’s Information Security Management System (ISMS). It outlines the specific areas of your organisation, information assets, and activities that are covered by the ISMS.

What is the impact if I get ISO 27001 scope wrong?

Getting the ISO 27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.

Why is defining the scope important?

A well-defined scope helps focus resources, ensures effective risk management, streamlines audits, enhances stakeholder communication, and improves internal awareness.

Can I use a template to define the scope?

Yes, using an ISO 27001 Scope Template can help you efficiently define and document the scope of your ISMS.

How do I determine what to include in the scope?

Conduct thorough risk assessments, analyse stakeholder needs, and consider the organisation’s overall business objectives.

Can I exclude certain areas from the scope?

Yes, you can exclude certain areas from the scope of your ISMS. However, you must clearly document the reasons for exclusion and ensure that these exclusions do not significantly impact the overall security posture of the organisation.

Who should be involved in defining the scope?

Key stakeholders should be involved, including senior management, IT personnel, legal and compliance officers, and representatives from relevant departments.

Tags: ISO 27001 Reference Guide
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.