Home / ISO 27001 Clauses / ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Scope

In this ultimate guide to ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS) you will learn

What ISO 27001 scope is
How to define scope for ISO 27001
Examples of scope for ISO 27001
An Implementation Checklist
An Audit Checklist

ISO 27001 Scope
What is ISO 27001 Clause 4.3?
How to implement ISO 27001 Clause 4.3
How to audit ISO 27001 Clause 4.3
How to Define ISO 27001 Scope
Example ISO 27001 Scope Statement
ISO 27001 Scope Template
Watch the Tutorial
How to pass an audit of ISO 27001 Clause 4.3
What the auditor will check
Common Mistakes for ISO 27001 Clause 4.3
ISO 27001 Clause 4.3 FAQ

What is ISO 27001 Clause 4.3?

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System is an ISO 27001 clause that requires an organisation to define the scope of the information security management system (ISMS).

The scope clarifies:

Which parts of the organisation are included in the ISMS
The boundaries of the organisation’s ISO 27001 certification.

ISO 27001 Clause 4.3 Purpose

The primary purpose of ISO 27001 Clause 4.3 is to ensure a clear and well-defined scope for your Information Security Management System (ISMS) and your subsequent ISO 27001 certification. This clarity helps establish:

Which parts of the organisation are included within the boundaries of the ISMS.
The specific areas that will be assessed during the ISO 27001 certification audit.

By defining the scope, organisations can ensure that their ISMS is focused on the most critical areas and that their certification accurately reflects the extent of their information security efforts.

ISO 27001 Clause 4.3 Definition

The ISO 27001 standard defines ISO 27001 Clause 4.3 as:

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.
When determining this scope, the organisation shall consider:
a) the external and internal issues referred to in ISO 27001 Clause 4.1 Understanding The Organisation And Its Context
b) the requirements referred to in ISO 27001 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.
ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.3 Ownership

The Information Security Officer is responsible for collaborating closely with the senior leadership and domain experts to identify and manage the scope of the information security management system.

How to implement ISO 27001 Clause 4.3

How to implement ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS)

1. Define Organisational Boundaries

Clearly identify where the organisation’s boundaries lie, especially in complex or multi-national organisations.

Utilise organisational charts, legal documents, and stakeholder interviews to define the organisational structure.
Consider third-party relationships and their impact on information security.

2. List all your products and services

List out all of the products and services that you have and document them.

Conduct workshops with key interested parties (e.g., management, product owners, sales) to identify and document core offerings.
Utilise process mapping and data flow diagrams to visualise the flow of products and services.

3. Ask your customers which products and services they expect to be in scope

From your list of products and services ask your customers which of them they expect to be in scope. Review current contracts for any scope requirements.

4. Ask your leadership team which products and services they expect to be in scope

From your list of products and services ask your leadership team which of them they expect to be in scope.

5. Ask the list of interested parties which products and services they expect to be in scope

From your list of products and services ask your interested parties which of them they expect to be in scope.

6. Document the list of products and services that are in scope

Taking the input from customers, leadership and interested parties document the list of products and services that are in scope.

7. Review your internal and external issues

Review the products and services that are in scope against the list of internal and external issues to determine if their are any direct issues or changes to issues.

8. Confirm the list of of products and services that are in scope

Agree and sign off the scope with the senior leadership team and document the agreement.

9. Identify Supporting Functions

Determine which departments and functions are critical to the delivery of core products and services.

Analyse organisational structure and identify departments that directly or indirectly support core business functions.
Consider departments like IT, HR, finance, legal, and facilities.

10. Determine Scope Exclusions

Identify activities, departments, or systems that will be explicitly excluded from the scope of the ISMS.

Clearly document the rationale for any exclusions.
Ensure that excluded areas do not pose significant risks to the organisation’s information security.

11. Document and understand the ISO 27001 Scope Boundaries

Identifying the people, premises, technology, and suppliers that directly support the in-scope products and services and understand the interfaces between in scope entities and out of scope entities as well as with third party organisations.

12. Write your ISO 27001 Scope Statement

Summarise your scope in the required ISO 27001 scope statement.

Use clear and concise language.
Obtain input and approval from key interested parties.
Regularly review and update the scope statement to reflect changes in the organisation or its environment.

13. Communicate Scope to Stakeholders

Ensure that all relevant stakeholders understand the scope of the ISMS and their roles and responsibilities within it.

Conduct training sessions and awareness campaigns.
Distribute the scope statement to all employees.
Include the scope statement in relevant policies and procedures.

14. Obtain Management Approval

Secure management approval for the defined scope of the ISMS.

Present the proposed scope to management and address any concerns or questions.
Obtain formal approval from top management.

15. Verify the scope statement with the certification body (optional)

Share your ISO 27001 scope statement with the external ISO 27001 certification for feedback and confirmation.

How to audit ISO 27001 Clause 4.3

1. Check that scope boundaries are defined

Review scope documentation, diagrams, and network maps.
Interview personnel involved in defining the scope.
Check for consistency with other documented information.

2. Check that the scope is aligned with the organisation’s goals

Review business strategy documents, risk assessments, and management review minutes.
Interview senior management about how the scope supports business objectives.

3. Review scope exclusions

Review the documented justifications for exclusions.
Interview personnel about the rationale behind exclusions.
Assess the potential impact of excluded elements on information security.

4. Ensure the scope is documented

Inspect the scope document for completeness, accuracy, and clarity.
Check version control and document accessibility.

5. Check interdependencies between systems

Review network diagrams, data flow diagrams, and agreements with third parties.
Interview personnel about system interconnections and dependencies.

6. Check alignment with legal and regulatory requirements

Review legal and regulatory requirements relevant to the organisation.
Check that the scope document reflects these requirements.

7. Evidence the inclusion of supporting processes

Review process documentation and interview personnel from supporting functions.
Assess the impact of these processes on information security.

8. Ensure that the scope was communicated

Review communication records and interview personnel about their understanding of the scope.
Check for evidence of communication to relevant stakeholders.

9. Gain evidence of scope reviews

Examine the process for reviewing and updating the scope.
Check review frequency and evidence of updates.
Look for triggers for review (e.g., changes in business strategy, new threats).

10. Review justifications for scope changes

Review records of scope changes and their justifications.
Interview personnel about the reasons for changes and their impact on the ISMS.

How to Define ISO 27001 Scope

Scope is vitally important for your ISO 27001 Certification. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate.

Determining your scope effectively can be challenging. To assist you, we’ve created a comprehensive guide: “How To Define ISO 27001 Scope.” This guide provides clear, step-by-step instructions to help you establish a well-defined scope.

Furthermore, we’ve included an ISO 27001 Scope Statement Template within our ISO 27001 Toolkit. This template can be used as a valuable resource to assist in the development of your official scope statement.

Example ISO 27001 Scope Statement

An example ISO 27001 Scope Statement:

The scope of this Information Security Management System (ISMS) encompasses all products and services offered by [Organisation Name], as outlined in [link to product/service catalogue or relevant document]. The implementation of controls is detailed within the Statement of Applicability, version [version number].

In practice:

A practical example, taken directly from our ISO 27001 certification, is:

Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 2.1
High Table ISO 27001 Scope Statement

ISO 27001 Scope Template

Accelerate your ISO 27001 implementation with ready-to-use templates.

The ISO 27001 Scope Template provides a structured framework for defining the scope of your Information Security Management System (ISMS), fully meeting the requirements of ISO 27001 Clause 4.3.

Key Features:

Pre-filled with common scope examples: Provides a solid foundation and saves you time.
Available as an individual download: Offers flexibility for specific needs.
Included in the internationally acclaimed ISO 27001 Toolkit: Access a comprehensive suite of templates and resources to streamline your entire implementation process.

Watch the Tutorial

Watch the ISO 27001 tutorial How to implement ISO 27001 Clause 4.3 Determine Scope Of The Information Security Management System

How to pass an audit of ISO 27001 Clause 4.3

To successfully pass an audit of ISO 27001 Clause 4.3, a crucial step in achieving ISO 27001 Certification, you must ensure you have implemented the mandatory ISO 27001 documents and ISO 27001 polices. You are going to need to put in place ISO 27001 controls to:

Document an ISO 27001 Scope Statement
Implement the ISO 27001 standard

What the auditor will check

The auditor will assess several key areas related to Clause 4.3 during their audit:

1. Documented Scope

:You must have a documented scope for your Information Security Management System (ISMS). The auditor will check for the existence of a documented scope statement. Utilising the ISO 27001 Scope Template can simplify this process.

2. Scope Implementation

You must have implemented the ISO 27001 standard within the defined scope. The auditor will assess whether the requirements of the ISO 27001 standard have been applied effectively to the identified products, services, and areas included within the scope.

3. Approved Scope

Your documented scope must be formally approved. The auditor will check for evidence of scope approval, such as documented approvals and signatures from relevant management personnel.

Common Mistakes for ISO 27001 Clause 4.3

1. Defining an Overly Broad Scope

Including unnecessary areas within the scope of your ISMS can lead to wasted time, resources, and unnecessary costs. Carefully consider and document the specific products, services, and areas that require information security controls.

2. Neglecting Client Expectations

Failing to consider client expectations and requirements within the scope of your ISMS can diminish the value of your certification. Involve clients in the scope definition process to ensure your ISMS addresses their specific needs and concerns.

3. Poor Scope Management

Inadequate documentation, version control, and review of the scope statement can lead to confusion and non-compliance. Maintain accurate and up-to-date records of the scope statement, implement a robust version control system and regularly review and update the scope statement to reflect changes in the organisation or its environment.

ISO 27001 Clause 4.3 FAQ

Should the entire organisation be in scope for ISO 27001 certification?

No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.

What are the ISO 27001:2022 Changes to Clause 4.3?

Not a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?

What is the ISO 27001 scope?

The ISO 27001 scope defines the boundaries of your organisation’s Information Security Management System (ISMS). It outlines the specific areas of your organisation, information assets, and activities that are covered by the ISMS.

What is the impact if I get ISO 27001 scope wrong?

Getting the ISO 27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.

Why is defining the scope important?

A well-defined scope helps focus resources, ensures effective risk management, streamlines audits, enhances stakeholder communication, and improves internal awareness.

Can I use a template to define the scope?

Yes, using an ISO 27001 Scope Template can help you efficiently define and document the scope of your ISMS.

How do I determine what to include in the scope?

Conduct thorough risk assessments, analyse stakeholder needs, and consider the organisation’s overall business objectives.

Can I exclude certain areas from the scope?

Yes, you can exclude certain areas from the scope of your ISMS. However, you must clearly document the reasons for exclusion and ensure that these exclusions do not significantly impact the overall security posture of the organisation.

Who should be involved in defining the scope?

Key stakeholders should be involved, including senior management, IT personnel, legal and compliance officers, and representatives from relevant departments.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.