In this ultimate guide to ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System you will learn
- What is ISO 27001 Clause 4.3
- How to implement ISO 27001 Clause 4.3
- How to define ISO 27001 Scope
- Example ISO 27001 Scope Statements
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
Table of contents
- What is ISO 27001 Clause 4.3?
- How to implement ISO 27001 Clause 4.3
- ISO 27001 Clause 4.3 Youtube Tutorial
- How to Define ISO 27001 Scope
- Example ISO 27001 Scope Statement
- ISO 27001 Templates
- How to pass an audit of ISO 27001 Clause 4.3
- What will the auditor check?
- Top 3 Mistakes People Make
- ISO 27001 Clause 4.3 FAQ
What is ISO 27001 Clause 4.3?
ISO 27001 Clause 4.3 is Determining The Scope Of The Information Security Management System. It requires an organisation to define the scope of the information security management system (ISMS). The scope defines what areas of the organisation are covered by the information security management system (ISMS) and what the scope of you ISO 27001 Certification is.
Getting the scope right can be the difference between passing or failing, over spending, over working and over committing resources.
ISO 27001 Clause 4.3 Purpose
The purpose of ISO 27001 Clause 4.3 is to make sure you have defined the scope of your information security management system and your ISO 27001 certification so that it is clear what the management system covers.
ISO 27001 Clause 4.3 Definition
The ISO 27001 standard defines ISO 27001 Clause 4.3 as:
The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.
ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
When determining this scope, the organisation shall consider:
a) the external and internal issues referred to in ISO 27001 Clause 4.1 Understanding The Organisation And Its Context
b) the requirements referred to in ISO 27001 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.
How to implement ISO 27001 Clause 4.3
The following is a step by step implementation guide to comply with SO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS):
1. List your products and services
List out all of your products and services as your customer would know them.
2. Speak to your customers
Ask your customer and clients which products and services they would expect to be ISO 27001 certified. Speaking with your clients they will tell you what their expectations are. You can examine existing contracts and look at existing questionnaires that you have been sent. All of these will lead you to an understanding of what should be in scope. If the answer is – everything then you can look to prioritise the list based on what is most commercially beneficial to you and start there. It is ok to start small and increase the scope over time as you become comfortable with the process and the requirements.
3. Document your ISO 27001 Scope
Formally document your ISO 27001 scope. You will want to record your ISO 27001 Scope Statement which is the statement that will go on your final ISO 27001 certificate. It is also good practice to think about the people, processes, technology and locations that are needed to support the in scope products and services and which will therefore naturally fall in scope of the ISO 27001 certification. Explicitly stating what is out of scope can be good practice and help with your internal management.
4. Review and Approve the ISO 27001 scope
At the next management review meeting be sure to share and review the ISO 27001 scope. Getting agreement on the scope and formally documenting the agreement in the meeting minutes.
ISO 27001 Clause 4.3 Youtube Tutorial
Watch the ISO 27001 Clause 4.3 YouTube tutorial How to implement ISO 27001 Clause 4.3 Determine Scope Of The Information Security Management System
How to Define ISO 27001 Scope
Scope is vitally important for your ISO 27001 Certification. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate.
This is a little tricker to work out but we have provided a detailed, easy to follow guide on How To Define ISO 27001 Scope.
It includes an ISO 27001 Scope Statement Template that is part of the ISO 27001 templates toolkit.
Example ISO 27001 Scope Statement
If you are wondering what a good ISO 27001 scope statement looks like, then this is taken directly from our ISO 27001 certification, by way of example.
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2
High Table ISO 27001 Scope Statement
You can see in the example we have first laid out the products / services that we offer and that are in scope and we have referenced our Statement of Applicability and it’s version. The statement of applicability is the list of controls that we have implemented. A nice simple scope statement.
ISO 27001 Templates
ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.
The ISO 27001 Scope Template fully satisfies the requirements of ISO 27001 Clause 4.3 and is pre written with common ISO 27001 scope examples.
Available as individual download it is also part of the internationally best selling and award winning ISO 27001 Toolkit.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to pass an audit of ISO 27001 Clause 4.3
To pass an audit of ISO 27001 Clause 4.3 you are going to:
- Write an ISO 27001 Scope Statement
- Implement the ISO 27001 standard
What will the auditor check?
The auditor is going to check a number of areas for compliance with Clause 4.3. Lets go through them
1. That you have documented your scope
The simplest way to document your scope is with the ISO 27001 Scope Template.
2. That you have implement the standard
Once you have determined the scope the audit will check that you have applied the requirements of the ISO 27001 standard to that scope.
3. That you have approved the scope
Having written, documented and approved scope is key. The audit will check that the scope is documented and that you can evidence that it was approved and signed off.
Top 3 Mistakes People Make
The top 3 mistakes people make for ISO 27001 Clause 4.3 are
1. You got your scope wrong
This sounds harsh, as it is your scope and what ever you say it is, it is. What I am getting at here is that because you didn’t understand it you included things in scope that did not need to be in scope and as a result of that spent way too much money, time and resources do something you just did not need to do. Spend time to get the scope right. It will save you in the end.
2. You did not scope for client need
Worse than including things you did not need to include is not including what your clients expect of you. Having a certification for something that has no relevance to your clients is worse than having no certification at all.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Clause 4.3 FAQ
No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.
Not a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?
The simple answer is that scope is defined exactly by what your customers and clients are asking you to do be in scope. This is the products and services that you provide that they expect to have an ISO 27001 certification. No more. No less. Focus your scope on what you are being asked for commercially and will bring you the most commercial benefits.
Getting the ISO 27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.
The following is a good example of an ISO 27001 scope statement
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2
This is taken directly from the High Table ISO 27001 Scope Statement
You can download the ISO 27001 scope statement template at High Table: The ISO 27001 Company.
Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Annex A 4.3:
Improved security: You will have an effective information security management system that is applied to what you need and want to protect
Reduced risk: You will reduce the risk to your information security management system by identifying what needs protecting
Improved compliance: Standards and regulations require scope to be in place
Reputation Protection: In the event of a breach having effectively managed the scope of the management system will reduce the potential for fines and reduce the PR impact of an event
Senior management are responsible for ensuring that ISO 27001 Clause 4.3 is implemented and maintained.
ISO 27001 Clause 4.3 is important because it if you get the scope wrong you will spend time and money you did not need to spend and the certification will not cover client needs. We protect what is important to us and we assign our limited resources to those priorities.