ISO 27001 Clause 4.3 Determining the scope of the information security management system

ISO 27001 Clause 4.3 Determining the scope of the information security management system

What is ISO 27001 Clause 4.3, how to write it and a downloadable ISO 27001 Clause 4.3 Template.

What is ISO 27001 Clause 4.3 Determining the scope of the information security management system?

ISO 27001 has a list of requirements that it calls clauses and this is one of those clauses that need to met. If we are going to implement ISO 27001 and go for ISO 27001 certification then this is one of the first, and main, clauses that we want to address.

What is the actual requirement of ISO 27001 Clause 4.3

This clause forms part of ISO 27001 Clause 4 Context of Organisation.  We have looked at ISO 27001 Clause 4.1 Understanding the Organisation and it’s context to identify internal issues, external issues in ISO 27001 Clause 4.2 we looked at interested parties and their needs.

In ISO 27001 Clause 4.3 we are looking at determining the scope of the information security management system.

How to define ISO 27001 Scope

Scope is vitally important. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate. This is a little tricker to work out but we have provided a detailed, easy to follow guide on How To Define ISO 27001 Scope. It includes an ISO 27001 Scope Statement Template that is part of the ISO 27001 templates toolkit.

ISO 27001 Guidance on Scope

The standard provides some guidance that can be useful:

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.
“When determining this scope, the organisation shall consider:


a) the external and internal issues referred to in 4.1
b) the requirements referred to in 4.2
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.

So we can see the work we have already done in previous clauses is not in vain and has the additional purpose of influencing the scope decisions we make.

Example ISO 27001 Scope Statement

If you are wondering what a good scope statement looks like, then this is taken directly from our ISO 27001 certification, by way of example.

Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2

High Table ISO 27001 Scope Statement

You can see in the example we have first laid out the products / services that we offer and that are in scope and we have referenced our Statement of Applicability and it’s version. The statement of applicability is the list of controls that we have implemented. A nice simple scope statement.

Downloadable template for ISO 27001 Clause 4.3 Determining the scope of the information security management system

The ISO 27001 Documented Scope Template is a great document to help to define and document scope. A quick and effective way to satisfy the requirements of this clause of the standard.

ISO 27001 Certification

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Shopping Cart