ISO 27001 Scope
In this ultimate guide to ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS) you will learn
- What ISO 27001 scope is
- How to define scope for ISO 27001
- Examples of scope for ISO 27001
- An Implementation Checklist
- An Audit Checklist
Table of contents
- ISO 27001 Scope
- What is ISO 27001 Clause 4.3?
- How to implement ISO 27001 Clause 4.3
- How to audit ISO 27001 Clause 4.3
- How to Define ISO 27001 Scope
- Example ISO 27001 Scope Statement
- ISO 27001 Scope Template
- Watch the Tutorial
- How to pass an audit of ISO 27001 Clause 4.3
- What the auditor will check
- Common Mistakes for ISO 27001 Clause 4.3
- ISO 27001 Clause 4.3 FAQ
What is ISO 27001 Clause 4.3?
ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System is an ISO 27001 clause that requires an organisation to define the scope of the information security management system (ISMS).
The scope clarifies:
- Which parts of the organisation are included in the ISMS
- The boundaries of the organisation’s ISO 27001 certification.
ISO 27001 Clause 4.3 Purpose
The primary purpose of ISO 27001 Clause 4.3 is to ensure a clear and well-defined scope for your Information Security Management System (ISMS) and your subsequent ISO 27001 certification. This clarity helps establish:
- Which parts of the organisation are included within the boundaries of the ISMS.
- The specific areas that will be assessed during the ISO 27001 certification audit.
By defining the scope, organisations can ensure that their ISMS is focused on the most critical areas and that their certification accurately reflects the extent of their information security efforts.
ISO 27001 Clause 4.3 Definition
The ISO 27001 standard defines ISO 27001 Clause 4.3 as:
The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.
ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
When determining this scope, the organisation shall consider:
a) the external and internal issues referred to in ISO 27001 Clause 4.1 Understanding The Organisation And Its Context
b) the requirements referred to in ISO 27001 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.
ISO 27001 Clause 4.3 Ownership
The Information Security Officer is responsible for collaborating closely with the senior leadership and domain experts to identify and manage the scope of the information security management system.
How to implement ISO 27001 Clause 4.3
How to implement ISO 27001 Clauseย 4.3 Determining The Scope Of The Information Security Management System (ISMS)
1. Define Organisational Boundaries
Clearly identify where the organisationโs boundaries lie, especially in complex or multi-national organisations.
- Utilise organisational charts, legal documents, and stakeholder interviews to define the organisational structure.
- Consider third-party relationships and their impact on information security.
2. List all your products and services
List out all of the products and services that you have and document them.
- Conduct workshops with key interested parties (e.g., management, product owners, sales) to identify and document core offerings.
- Utilise process mapping and data flow diagrams to visualise the flow of products and services.
3. Ask your customers which products and services they expect to be in scope
From your list of products and services ask your customers which of them they expect to be in scope. Review current contracts for any scope requirements.
4. Ask your leadership team which products and services they expect to be in scope
From your list of products and services ask your leadership team which of them they expect to be in scope.
5. Ask the list of interested parties which products and services they expect to be in scope
From your list of products and services ask your interested parties which of them they expect to be in scope.
6. Document the list of products and services that are in scope
Taking the input from customers, leadership and interested parties document the list of products and services that are in scope.
7. Review your internal and external issues
Review the products and services that are in scope against the list of internal and external issues to determine if their are any direct issues or changes to issues.
8. Confirm the list of of products and services that are in scope
Agree and sign off the scope with the senior leadership team and document the agreement.
9. Identify Supporting Functions
Determine which departments and functions are critical to the delivery of core products and services.
- Analyse organisational structure and identify departments that directly or indirectly support core business functions.
- Consider departments like IT, HR, finance, legal, and facilities.
10. Determine Scope Exclusions
Identify activities, departments, or systems that will be explicitly excluded from the scope of the ISMS.
- Clearly document the rationale for any exclusions.
- Ensure that excluded areas do not pose significant risks to the organisationโs information security.
11. Document and understand the ISO 27001 Scope Boundaries
Identifying the people, premises, technology, and suppliers that directly support the in-scope products and services and understand the interfaces between in scope entities and out of scope entities as well as with third party organisations.
12. Write your ISO 27001 Scope Statement
Summarise your scope in the required ISO 27001 scope statement.
- Use clear and concise language.
- Obtain input and approval from key interested parties.
- Regularly review and update the scope statement to reflect changes in the organisation or its environment.
13. Communicate Scope to Stakeholders
Ensure that all relevant stakeholders understand the scope of the ISMS and theirย roles and responsibilitiesย within it.
- Conduct training sessions and awareness campaigns.
- Distribute the scope statement to all employees.
- Include the scope statement in relevant policies and procedures.
14. Obtain Management Approval
Secure management approval for theย defined scope of the ISMS.
- Present the proposed scope to management and address any concerns or questions.
- Obtain formal approval from top management.
15. Verify the scope statement with the certification body (optional)
Share your ISO 27001 scope statement with the external ISO 27001 certification for feedback and confirmation.
How to audit ISO 27001 Clause 4.3
1. Check that scope boundaries are defined
- Review scope documentation, diagrams, and network maps.
- Interview personnel involved in defining the scope.
- Check for consistency with other documented information.
2. Check that the scope is aligned with the organisation’s goals
- Review business strategy documents, risk assessments, and management review minutes.
- Interview senior management about how the scope supports business objectives.
3. Review scope exclusions
- Review the documented justifications for exclusions.
- Interview personnel about the rationale behind exclusions.
- Assess the potential impact of excluded elements on information security.
4. Ensure the scope is documented
- Inspect the scope document for completeness, accuracy, and clarity.
- Check version control and document accessibility.
5. Check interdependencies between systems
- Review network diagrams, data flow diagrams, and agreements with third parties.
- Interview personnel about system interconnections and dependencies.
6. Check alignment with legal and regulatory requirements
- Review legal and regulatory requirements relevant to the organisation.
- Check that the scope document reflects these requirements.
7. Evidence the inclusion of supporting processes
- Review process documentation and interview personnel from supporting functions.
- Assess the impact of these processes on information security.
8. Ensure that the scope was communicated
- Review communication records and interview personnel about their understanding of the scope.
- Check for evidence of communication to relevant stakeholders.
9. Gain evidence of scope reviews
- Examine the process for reviewing and updating the scope.
- Check review frequency and evidence of updates.
- Look for triggers for review (e.g., changes in business strategy, new threats).
10. Review justifications for scope changes
- Review records of scope changes and their justifications.
- Interview personnel about the reasons for changes and their impact on the ISMS.
How to Define ISO 27001 Scope
Scope is vitally important for your ISO 27001 Certification. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate.
Determining your scope effectively can be challenging. To assist you, we’ve created a comprehensive guide: “How To Define ISO 27001 Scope.” This guide provides clear, step-by-step instructions to help you establish a well-defined scope.
Furthermore, we’ve included an ISO 27001 Scope Statement Template within our ISO 27001 Toolkit. This template can be used as a valuable resource to assist in the development of your official scope statement.
Example ISO 27001 Scope Statement
An example ISO 27001 Scope Statement:
The scope of this Information Security Management System (ISMS) encompasses all products and services offered by [Organisation Name], as outlined in [link to product/service catalogue or relevant document]. The implementation of controls is detailed within the Statement of Applicability, version [version number].
In practice:
A practical example, taken directly from our ISO 27001 certification, is:
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 2.1
High Table ISO 27001 Scope Statement
ISO 27001 Scope Template
Accelerate your ISO 27001 implementation with ready-to-use templates.
The ISO 27001 Scope Template provides a structured framework for defining the scope of your Information Security Management System (ISMS), fully meeting the requirements of ISO 27001 Clause 4.3.
Key Features:
- Pre-filled with common scope examples: Provides a solid foundation and saves you time.
- Available as an individual download: Offers flexibility for specific needs.
- Included in the internationally acclaimed ISO 27001 Toolkit: Access a comprehensive suite of templates and resources to streamline your entire implementation process.
Watch the Tutorial
Watch the ISO 27001 tutorial How to implement ISO 27001 Clause 4.3 Determine Scope Of The Information Security Management System
How to pass an audit of ISO 27001 Clause 4.3
To successfully pass an audit of ISO 27001 Clause 4.3, a crucial step in achieving ISO 27001 Certification, you must ensure you have implemented the mandatory ISO 27001 documents and ISO 27001 polices. You are going to need to put in place ISO 27001 controls to:
- Document an ISO 27001 Scope Statement
- Implement the ISO 27001 standard
What the auditor will check
The auditor will assess several key areas related to Clause 4.3 during their audit:
1. Documented Scope
:You must have a documented scope for your Information Security Management System (ISMS). The auditor will check for the existence of a documented scope statement. Utilising the ISO 27001 Scope Template can simplify this process.
2. Scope Implementation
You must have implemented the ISO 27001 standard within the defined scope. The auditor will assess whether the requirements of the ISO 27001 standard have been applied effectively to the identified products, services, and areas included within the scope.
3. Approved Scope
Your documented scope must be formally approved.ย The auditor will check for evidence of scope approval, such as documented approvals and signatures from relevant management personnel.
Common Mistakes for ISO 27001 Clause 4.3
1. Defining an Overly Broad Scope
Including unnecessary areas within the scope of your ISMS can lead to wasted time, resources, and unnecessary costs. Carefully consider and document the specific products, services, and areas that require information security controls.
2. Neglecting Client Expectations
Failing to consider client expectations and requirements within the scope of your ISMS can diminish the value of your certification. Involve clients in the scope definition process to ensure your ISMS addresses their specific needs and concerns.
3. Poor Scope Management
Inadequate documentation, version control, and review of the scope statement can lead to confusion and non-compliance. Maintain accurate and up-to-date records of the scope statement, implement a robust version control system and regularly review and update the scope statement to reflect changes in the organisation or its environment.
ISO 27001 Clause 4.3 FAQ
No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.
Not a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?
The ISO 27001 scope defines the boundaries of your organisation’s Information Security Management System (ISMS). It outlines the specific areas of your organisation, information assets, and activities that are covered by the ISMS.
Getting the ISO 27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.
A well-defined scope helps focus resources, ensures effective risk management, streamlines audits, enhances stakeholder communication, and improves internal awareness.
Yes, using an ISO 27001 Scope Template can help you efficiently define and document the scope of your ISMS.
Conduct thorough risk assessments, analyse stakeholder needs, and consider the organisation’s overall business objectives.
Yes, you can exclude certain areas from the scope of your ISMS. However, you must clearly document the reasons for exclusion and ensure that these exclusions do not significantly impact the overall security posture of the organisation.
Key stakeholders should be involved, including senior management, IT personnel, legal and compliance officers, and representatives from relevant departments.