ISO 27001 Determining The Scope Of The Information Security Management System

The focus for this ISO 27001 Clause is basically scope. As one of the ISO 27001 controls this is about working out what the scope of the information security management system is and what the scope of you ISO 27001 Certification is.

You will learn what ISO clause 4.3 is, how to simply and easily implement it for ISO 27001 certification and I will show you some common gotchas so you can avoid them.

Watch

What is it?

ISO 27001 Clause 4.3 requires you to work out the scope of your information security management system.

An information security management system is made up of the ISO 27001 documentsISO 27001 policies and processes that deliver your information security controls and keeps you safe.

Getting the scope right can be the difference between passing or failing, over spending, over working and over committing resources.

Purpose

The purpose of clause 4.3 is to make sure you have considered and defined the scope of your information security management system and your ISO 27001 certification in line with the requirements of the ISO 27001standard.

Definition

The ISO 27001 standard defines ISO 27001 clause 4.3 as:

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.

When determining this scope, the organisation shall consider:

a) the external and internal issues referred to in ISO 27001 Clause 4.1 Understanding The Organisation And Its Context
b) the requirements referred to in ISO 27001 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.

ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System

So we can see the work we have already done in previous clauses is not in vain and has the additional purpose of influencing the scope decisions we make.

Requirement

This clause forms part of ISO 27001 Clause 4 Context of Organisation.  We have looked at ISO 27001 Clause 4.1 Understanding the Organisation and its context to identify internal issues, external issues in ISO 27001 Clause 4.2 we looked at interested parties and their needs.

In ISO 27001 Clause 4.3 we are looking at determining the scope of the information security management system.

ISO 27001 Scope Template

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. Not interested in ISO 27001 templates, then you can skip to the next section.

The ISO 27001 Scope Template fully satisfies the requirements of ISO 27001 Clause 4.3 and is pre written with common examples. Available as individual download it is also part of the internationally best selling and award winning ISO 27001 Toolkit.

ISO 27001 Scope Document Template

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

ISO 27001 Toolkit

How to define ISO 27001 Scope

Scope is vitally important. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate. This is a little tricker to work out but we have provided a detailed, easy to follow guide on How To Define ISO 27001 Scope. It includes an ISO 27001 Scope Statement Template that is part of the ISO 27001 templates toolkit.

Defining ISO 27001 Scope: Step-by-Step

The step by step guide to defining scope:

1. List your products and services

List out all of your products and services as your customer would know them

2. Ask your customer and clients which products and services they would expect to be ISO 27001 certified

Speaking with your clients they will tell you what their expectations are. You can examine existing contracts and look at existing questionnaires that you have been sent. All of these will lead you to an understanding of what should be in scope. If the answer is – everything then you can look to prioritise the list based on what is most commercially beneficial to you and start there. It is ok to start small and increase the scope over time as you become comfortable with the process and the requirements.

3. Document your ISO 27001 Scope

Formally document your ISO 27001 scope. You will want to record your ISO 27001 Scope Statement which is the statement that will go on your final ISO 27001 certificate. It is also good practice to think about the people, processes, technology and locations that are needed to support the in scope products and services and which will therefore naturally fall in scope of the ISO 27001 certification. Explicitly stating what is out of scope can be good practice and help with your internal management.

4. Review and Approve the ISO 27001 scope

At the next management review meeting be sure to share and review the ISO 27001 scope. Getting agreement on the scope and formally documenting the agreement in the meeting minutes.

Example ISO 27001 Scope Statement

If you are wondering what a good scope statement looks like, then this is taken directly from our ISO 27001 certification, by way of example.

Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2

High Table ISO 27001 Scope Statement

You can see in the example we have first laid out the products / services that we offer and that are in scope and we have referenced our Statement of Applicability and it’s version. The statement of applicability is the list of controls that we have implemented. A nice simple scope statement.

How to comply

To comply with ISO 27001 Clause 4.3 you are going to implement the ‘how’ to the ‘what’ the clause is expecting. You are going to

How to pass an audit

To pass an audit of ISO 27001 Clause 4.3 you are going to make sure that you have followed the steps above in how to comply.

You are then going to conduct an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will the audit check?

The audit is going to check a number of areas for compliance with Clause 4.3. Lets go through them

1. That you have documented your scope

The simplest way to do this is with the ISO 27001 Scope Document.

2. That you have implement the standard

Once you have determined the scope the audit will check that you have applied the requirements of the ISO 27001 standard to that scope.

3. That you have approved the scope

Having written, documented and approved scope is key. The audit will check that the scope is documented and that you can evidence that it was approved and signed off.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 clause 4.3 are

1. You got your scope wrong

This sounds harsh, as it is your scope and what ever you say it is, it is. What I am getting at here is that because you didn’t understand it you included things in scope that did not need to be in scope and as a result of that spent way too much money, time and resources do something you just did not need to do. Spend time to get the scope right. It will save you in the end.

2. You did not scope for client need

Worse than including things you did not need to include is not including what your clients expect of you. Having a certification for something that has no relevance to your clients is worse than having no certification at all.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Clause 4.3 FAQ

Should the entire organisation be in scope for ISO 27001 certification?

No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.

What are the ISO 27001:2022 Changes to Clause 4.3?

Not a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?

How do I define ISO 27001 certification scope?

The simple answer is that scope is defined exactly by what your customers and clients are asking you to do be in scope. This is the products and services that you provide that they expect to have an ISO 27001 certification. No more. No less. Focus your scope on what you are being asked for commercially and will bring you the most commercial benefits.

What is the impact if I get ISO 27001 scope wrong?

Getting the ISO 27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.

ISO 27001 Scope Statement example?

The following is a good example of an ISO 27001 scope statement
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2
This is taken directly from the High Table ISO 27001 Scope Statement

ISO 27001 Scope template?

You can download the ISO 27001 scope statement template at High Table: The ISO 27001 Company.

What are the benefits of ISO 27001 Clause 4.3?

Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Annex A 4.3:
Improved security: You will have an effective information security management system that is applied to what you need and want to protect
Reduced risk: You will reduce the risk to your information security management system by identifying what needs protecting
Improved compliance: Standards and regulations require scope to be in place
Reputation Protection: In the event of a breach having effectively managed the scope of the management system will reduce the potential for fines and reduce the PR impact of an event

Who is responsible for ISO 27001 Clause 4.3?

Senior management are responsible for ensuring that ISO 27001 Clause 4.3 is implemented and maintained.

Why is ISO 27001 Clause 4.3 important?

ISO 27001 Clause 4.3 is important because it if you get the scope wrong you will spend time and money you did not need to spend and the certification will not cover client needs. We protect what is important to us and we assign our limited resources to those priorities.