Introduction
In this article we lay bare ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System.
Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, show you examples and do a walkthrough.
In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001:2022 Clause 4.3
Table of contents
- Introduction
- What is ISO 27001:2022 Clause 4.3 Determining the scope of the information security management system?
- What is the requirement of ISO 27001 Clause 4.3?
- What are the ISO 27001:2022 Changes to Clause 4.3?
- What does the standard say about ISO 27001:2022 Clause 4.3?
- How to define ISO 27001 Scope
- Example ISO 27001 Scope Statement
- ISO 27001 Clause 4.3 Template
- How to comply with ISO 27001:2022 Clause 4.3
- ISO 27001 Clause 4.3 FAQ
What is ISO 27001:2022 Clause 4.3 Determining the scope of the information security management system?
ISO 27001 has a list of requirements that it calls clauses and this is one of those clauses that need to met. If we are going to implement ISO 27001 and go for ISO 27001 certification then this is one of the first, and main, clauses that we want to address.
What is the requirement of ISO 27001 Clause 4.3?
This clause forms part of ISO 27001 Clause 4 Context of Organisation. We have looked at ISO 27001 Clause 4.1 Understanding the Organisation and its context to identify internal issues, external issues in ISO 27001 Clause 4.2 we looked at interested parties and their needs.
In ISO 27001 Clause 4.3 we are looking at determining the scope of the information security management system.
What are the ISO 27001:2022 Changes to Clause 4.3?
Not a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?
What does the standard say about ISO 27001:2022 Clause 4.3?
ISO 27001:2022 defines clause 4.3 as:
The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.
When determining this scope, the organisation shall consider:
a) the external and internal issues referred to in 4.1
ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
b) the requirements referred to in 4.2
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.
So we can see the work we have already done in previous clauses is not in vain and has the additional purpose of influencing the scope decisions we make.
How to define ISO 27001 Scope
Scope is vitally important. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate. This is a little tricker to work out but we have provided a detailed, easy to follow guide on How To Define ISO 27001 Scope. It includes an ISO 27001 Scope Statement Template that is part of the ISO 27001 templates toolkit.
Example ISO 27001 Scope Statement
If you are wondering what a good scope statement looks like, then this is taken directly from our ISO 27001 certification, by way of example.
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2
High Table ISO 27001 Scope Statement
You can see in the example we have first laid out the products / services that we offer and that are in scope and we have referenced our Statement of Applicability and it’s version. The statement of applicability is the list of controls that we have implemented. A nice simple scope statement.
ISO 27001 Clause 4.3 Template
The ISO 27001 Documented Scope Template is a great document to help to define and document scope. A quick and effective way to satisfy the requirements of this clause of the standard.
Part of the ISO 27001 Templates Toolkit but also available to download individually.
How to comply with ISO 27001:2022 Clause 4.3
Time needed: 1 day.
How to comply with ISO 27001 Clause 4.3 Determining the scope of the information security management system
- List your products and services
List out all of your products and services as your customer would know them
- Ask your customer and clients which products and services they would expect to be ISO 27001 certified
Speaking with your clients they will tell you what their expectations are. You can examine existing contracts and look at existing questionnaires that you have been sent. All of these will lead you to an understanding of what should be in scope. If the answer is – everything then you can look to prioritise the list based on what is most commercially beneficial to you and start there. It is ok to start small and increase the scope over time as you become comfortable with the process and the requirements.
- Document your ISO 27001 Scope
Formally document your ISO 27001 scope. You will want to record your ISO 27001 Scope Statement which is the statement that will go on your final ISO 27001 certificate. It is also good practice to think about the people, processes, technology and locations that are needed to support the in scope products and services and which will therefore naturally fall in scope of the ISO 27001 certification. Explicitly stating what is out of scope can be good practice and help with your internal management.
- Review and Approve the ISO 27001 scope
At the next management review meeting be sure to share and review the ISO 27001 scope. Getting agreement on the scope and formally documenting the agreement in the meeting minutes.
ISO 27001 Clause 4.3 FAQ
No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.
The simple answer is that scope is defined exactly by what your customers and clients are asking you to do be in scope. This is the products and services that you provide that they expect to have an ISO 27001 certification. No more. No less. Focus your scope on what you are being asked for commercially and will bring you the most commercial benefits.
Getting the ISO 27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.
The following is a good example of an ISO 27001 scope statement
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2
This is taken directly from the High Table ISO 27001 Scope Statement
You can download the ISO 27001 scope statement template here: https://hightable.io/product/iso-27001-scope-document-template/
ISO 27001:2022 Certification Requirements
What’s new, ISO 27001 templates, examples and walkthrough for each ISO 27001:2022 Annex A Clause.
- ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context
- ISO 27001:2022 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
- ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
- ISO 27001:2022 Clause 4.4 Information Security Management System (ISMS)
- ISO 27001:2022 Clause 5.1 Leadership And Commitment
- ISO 27001:2022 Clause 5.2 Information Security Policy
- ISO 27001:2022 Clause 5.3 Organisational Roles, Responsibilities And Authorities
- ISO 27001:2022 Clause 6 Planning
- ISO 27001:2022 Clause 6.1.1 Planning General
- ISO 27001:2022 Clause 6.1.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 6.1.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 6.2 Information Security Objectives And Planning To Achieve Them
- ISO 27001:2022 Clause 7.1 Resources
- ISO 27001:2022 Clause 7.2 Competence
- ISO 27001:2022 Clause 7.3 Awareness
- ISO 27001:2022 Clause 7.4 Communication
- ISO 27001:2022 Clause 7.5.1 Documented Information
- ISO 27001:2022 Clause 7.5.2 Creating And Updating Documented Information
- ISO 27001:2022 Clause 7.5.3 Control Of Documented Information
- ISO 27001:2022 Clause 8.1 Operational Planning And Control
- ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 8.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
- ISO 27001:2022 Clause 9.2 Internal Audit
- ISO 27001:2022 Clause 9.3 Management Reviews
- ISO 27001:2022 Clause 10.1 Continual Improvement
- ISO 27001:2022 Clause 10.2 Non Conformity and Corrective Action