ISO27001 Clause 4.3 Determining The Scope Of The Information Security Management System Beginner’s Guide

Share with your network

In this article we lay bare ISO27001 Clause 4.3 Determining The Scope Of The Information Security Management System. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Clause 4.3

What is ISO27001 Clause 4.3 Determining the scope of the information security management system?

ISO27001 has a list of requirements that it calls clauses and this is one of those clauses that need to met. If we are going to implement ISO27001 and go for ISO27001 certification then this is one of the first, and main, clauses that we want to address.

What is the requirement of ISO27001 Clause 4.3?

This clause forms part of ISO27001 Clause 4 Context of Organisation.  We have looked at ISO27001 Clause 4.1 Understanding the Organisation and it’s context to identify internal issues, external issues in ISO27001 Clause 4.2 we looked at interested parties and their needs.

In ISO27001 Clause 4.3 we are looking at determining the scope of the information security management system.

What are the ISO27001:2022 Changes to Clause 4.3?

Not a massive change to ISO27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?

What does the standard say about ISO27001 Clause 4.3?

ISO27001 defines clause 4.3 as:

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.

When determining this scope, the organisation shall consider:

a) the external and internal issues referred to in 4.1
b) the requirements referred to in 4.2
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.

ISO27001 Clause 4.3

So we can see the work we have already done in previous clauses is not in vain and has the additional purpose of influencing the scope decisions we make.

How to define ISO27001 Scope

Scope is vitally important. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO27001 certificate. This is a little tricker to work out but we have provided a detailed, easy to follow guide on How To Define ISO27001 Scope. It includes an ISO27001 Scope Statement Template that is part of the ISO27001 templates toolkit.

Example ISO27001 Scope Statement

If you are wondering what a good scope statement looks like, then this is taken directly from our ISO27001 certification, by way of example.

Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2

High Table ISO27001 Scope Statement

You can see in the example we have first laid out the products / services that we offer and that are in scope and we have referenced our Statement of Applicability and it’s version. The statement of applicability is the list of controls that we have implemented. A nice simple scope statement.

ISO27001 Clause 4.3 Template

The ISO27001 Documented Scope Template is a great document to help to define and document scope. A quick and effective way to satisfy the requirements of this clause of the standard.

ISO27001 Scope Document -Black

Part of the ISO27001 Templates Toolkit but also available to download individually.

How to comply with ISO27001 Clause 4.3

Time needed: 1 day.

How to comply with ISO27001 Clause 4.3 Determining the scope of the information security management system

  1. List your products and services

    List out all of your products and services as your customer would know them

  2. Ask your customer and clients which products and services they would expect to be ISO27001 certified

    Speaking with your clients they will tell you what their expectations are. You can examine existing contracts and look at existing questionnaires that you have been sent. All of these will lead you to an understanding of what should be in scope. If the answer is – everything then you can look to prioritise the list based on what is most commercially beneficial to you and start there. It is ok to start small and increase the scope over time as you become comfortable with the process and the requirements.

  3. Document your ISO27001 Scope

    Formally document your ISO27001 scope. You will want to record your ISO27001 Scope Statement which is the statement that will go on your final ISO27001 certificate. It is also good practice to think about the people, processes, technology and locations that are needed to support the in scope products and services and which will therefore naturally fall in scope of the ISO27001 certification. Explicitly stating what is out of scope can be good practice and help with your internal management.

  4. Review and Approve the ISO27001 scope

    At the next management review meeting be sure to share and review the ISO27001 scope. Getting agreement on the scope and formally documenting the agreement in the meeting minutes.

ISO27001 Clause 4.3 FAQ

Should the entire organisation be in scope for ISO27001 certification?

No. The burden and overhead of ISO27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.

How do I define ISO27001 certification scope?

The simple answer is that scope is defined exactly by what your customers and clients are asking you to do be in scope. This is the products and services that you provide that they expect to have an ISO27001 certification. No more. No less. Focus your scope on what you are being asked for commercially and will bring you the most commercial benefits.

What is the impact if I get ISO27001 scope wrong?

Getting the ISO27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.

ISO27001 Scope Statement example?

The following is a good example of an ISO27001 scope statement
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2
This is taken directly from the High Table ISO27001 Scope Statement

ISO27001 Scope template?

You can download the ISO27001 scope statement template here: https://hightable.io/product/iso-27001-scope-document-template/

ISO27001 Certification Requirements

ISO27001 Certification Requirements set out clause by clause with these complete beginner’s guides that include everything you need to know, what to do and ISO27001 templates.

Share with your network
ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green
Free ISO27001 Strategy Call
Shopping Cart