Table of contents
- What is ISO 27001 Clause 4.3?
- Purpose
- Definition
- Ownership
- Implementation Guide
- Implementation Checklist
- Audit Checklist
- How to Define ISO 27001 Scope
- Example ISO 27001 Scope Statement
- Watch the Tutorial
- How to pass an audit
- What the auditor will check
- ISO 27001 Templates
- Mistakes for ISO 27001 Clause 4.3
- ISO 27001 Clause 4.3 FAQ
- Further Reading
What is ISO 27001 Clause 4.3?
ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System is an ISO 27001 clause that requires an organisation to define the scope of the information security management system (ISMS).
The scope clarifies:
- Which parts of the organisation are included in the ISMS
- The boundaries of the organisation’s ISO 27001 certification.
Purpose
The primary purpose of ISO 27001 Clause 4.3 is to ensure a clear and well-defined scope for your Information Security Management System (ISMS) and your subsequent ISO 27001 certification. This clarity helps establish:
- Which parts of the organisation are included within the boundaries of the ISMS.
- The specific areas that will be assessed during the ISO 27001 certification audit.
By defining the scope, organisations can ensure that their ISMS is focused on the most critical areas and that their certification accurately reflects the extent of their information security efforts.
Definition
The ISO 27001 standard defines ISO 27001 Clause 4.3 as:
The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.
ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
When determining this scope, the organisation shall consider:
a) the external and internal issues referred to in ISO 27001 Clause 4.1 Understanding The Organisation And Its Context
b) the requirements referred to in ISO 27001 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.
Ownership
The Information Security Officer is responsible for collaborating closely with the senior leadership and domain experts to identify and manage the scope of the information security management system.

Implementation Guide
When implementing ISO 27001, to comply with ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS), you will need to
- Identify in-scope products and services: Pinpointing the specific products, services, and associated activities that will be covered by the ISMS.
- Define supporting elements: Identifying the people, premises, technology, and suppliers that directly support the in-scope products and services.
Implementation Checklist
ISO 27001 Clause 4.3 Implementation Checklist
Define Organisational Boundaries
Challenge
Clearly identifying where the organisation’s boundaries lie, especially in complex or multi-national organisations.
Solution
- Utilise organisational charts, legal documents, and stakeholder interviews to define the organisational structure.
- Consider third-party relationships and their impact on information security.
Identify Core Products and Services
Challenge
Accurately determining the core products and services offered, especially in diverse organisations with multiple business units.
Solution
- Conduct workshops with key stakeholders (e.g., management, product owners, sales) to identify and document core offerings.
- Utilise process mapping and data flow diagrams to visualise the flow of products and services.
Identify Supporting Functions
Challenge
Determining which departments and functions are critical to the delivery of core products and services.
Solution
- Analyse organisational structure and identify departments that directly or indirectly support core business functions.
- Consider departments like IT, HR, finance, legal, and facilities.
Identify Information Assets
Challenge
Identifying all critical information assets, including data, systems, and intellectual property.
Solution
- Conduct a comprehensive information asset inventory, including data classification exercises.
- Utilise data flow diagrams and business process mapping to identify information flows.
Identify Information Security Risks
Challenge
Accurately assessing the potential threats and vulnerabilities associated with in-scope products and services.
Solution
- Conduct a thorough risk assessment, considering internal and external threats.
- Prioritise risks based on their likelihood and potential impact.
Determine Scope Exclusions
Challenge
Identifying activities, departments, or systems that will be explicitly excluded from the scope of the ISMS.
Solution
- Clearly document the rationale for any exclusions.
- Ensure that excluded areas do not pose significant risks to the organisation’s information security.
Define Scope Statement
Challenge
Creating a concise and unambiguous scope statement that is easily understood by all stakeholders.
Solution
- Use clear and concise language.
- Obtain input and approval from key stakeholders.
- Regularly review and update the scope statement to reflect changes in the organisation or its environment.
Communicate Scope to Stakeholders
Challenge
Ensuring that all relevant stakeholders understand the scope of the ISMS and their roles and responsibilities within it.
Solution
- Conduct training sessions and awareness campaigns.
- Distribute the scope statement to all employees.
- Include the scope statement in relevant policies and procedures.
Obtain Management Approval
Challenge
Securing management approval for the defined scope of the ISMS.
Solution
- Present the proposed scope to management and address any concerns or questions.
- Obtain formal approval from top management.
Document and Maintain
Challenge
Maintaining accurate and up-to-date documentation of the scope of the ISMS.
Solution
- Store the scope statement in a central location.
- Regularly review and update the scope statement as needed.
- Ensure that all changes to the scope are properly documented.
By following these steps and addressing the associated challenges, organisations can establish a well-defined scope for their ISMS, which is essential for successful ISO 27001 implementation and ongoing compliance.
Audit Checklist
The following is a summary of the ISO 27001 Clause 4.3 Audit Checklist:
Are Organisational Boundaries Defined:
- Are there organisational charts, and documentation of the organisational structure in place.
- Have third-party relationships and their impact on information security been considered.
Are Core Products and Services Identified:
- Were workshops with key stakeholders used to identify and document core offerings.
- Are there process mapping and data flow diagrams to visualise the flow of products and services.
- Are core products and services clearly documented.
Were Supporting Functions Included:
- Is there documentation on which departments and functions are critical to the delivery of core products and services.
- Was the organisational structure analysed to identify departments that directly or indirectly support core business functions.
- Were departments like IT, HR, finance, legal, and facilities considered.
Is there an Information Assets documentation:
- Are all critical information assets, including data, systems, and intellectual property documented.
- Is there a comprehensive information asset inventory, including data classification exercises.
- Has data flow diagrams and business process mapping been done to identify information flows.
Information Security Risks:
- Is the assessing of potential threats and vulnerabilities associated with in-scope products and services documented and evidenced.
- Was a thorough risk assessment, considering internal and external threats done
- Are risks prioritised based on their likelihood and potential impact.
Scope Exclusions:
- Review if activities, departments, or systems that will be explicitly excluded from the scope of the ISMS are documented.
- Assess the documented rationale for any exclusions.
- Ensure that excluded areas do not pose significant risks to the organisation’s information security.
Scope Statement:
- Is there a concise and unambiguous scope statement that is easily understood by all stakeholders.
- Is clear and concise language used.
- Was approval obtained from key stakeholders.
- Is it regularly reviewed and updated to reflect changes in the organisation or its environment.
Communicate Scope to Stakeholders:
- Do all relevant stakeholders understand the scope of the ISMS and their roles and responsibilities within it.
- Is there evidence of training sessions and awareness campaigns.
- Was the scope statement distributed to all employees.
Obtain Management Approval:
- Can you evidence management approval for the defined scope of the ISMS.
Document and Maintain:
- Ensure accurate and up-to-date documentation of the scope of the ISMS.
- Review where the scope statement is stored.
- Is there evidence of regular review and update of the scope statement.
- Are all changes to the scope properly documented.
How to Define ISO 27001 Scope
Scope is vitally important for your ISO 27001 Certification. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate.
Determining your scope effectively can be challenging. To assist you, we’ve created a comprehensive guide: “How To Define ISO 27001 Scope.” This guide provides clear, step-by-step instructions to help you establish a well-defined scope.
Furthermore, we’ve included an ISO 27001 Scope Statement Template within our ISO 27001 Toolkit. This template can be used as a valuable resource to assist in the development of your official scope statement.
Example ISO 27001 Scope Statement
An example ISO 27001 Scope Statement:
The scope of this Information Security Management System (ISMS) encompasses all products and services offered by [Organisation Name], as outlined in [link to product/service catalogue or relevant document]. The implementation of controls is detailed within the Statement of Applicability, version [version number].
In practice:
A practical example, taken directly from our ISO 27001 certification, is:
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 2.1
High Table ISO 27001 Scope Statement
Watch the Tutorial
Watch the ISO 27001 tutorial How to implement ISO 27001 Clause 4.3 Determine Scope Of The Information Security Management System
How to pass an audit
To successfully pass an audit of ISO 27001 Clause 4.3, a crucial step in achieving ISO 27001 Certification, you must ensure you have implemented the mandatory ISO 27001 documents and ISO 27001 polices. You are going to need to put in place ISO 27001 controls to:
- Document an ISO 27001 Scope Statement
- Implement the ISO 27001 standard
What the auditor will check
The auditor will assess several key areas related to Clause 4.3 during their audit:
Documented Scope:
- Requirement: You must have a documented scope for your Information Security Management System (ISMS).
- Verification: The auditor will check for the existence of a documented scope statement. Utilising the ISO 27001 Scope Template can simplify this process.
Scope Implementation:
- Requirement: You must have implemented the ISO 27001 standard within the defined scope.
- Verification: The auditor will assess whether the requirements of the ISO 27001 standard have been applied effectively to the identified products, services, and areas included within the scope.
Approved Scope:
- Requirement: Your documented scope must be formally approved.
- Verification: The auditor will check for evidence of scope approval, such as documented approvals and signatures from relevant management personnel.
ISO 27001 Templates
Accelerate your ISO 27001 implementation with ready-to-use templates.
The ISO 27001 Scope Template provides a structured framework for defining the scope of your Information Security Management System (ISMS), fully meeting the requirements of ISO 27001 Clause 4.3.
Key Features:
- Pre-filled with common scope examples: Provides a solid foundation and saves you time.
- Available as an individual download: Offers flexibility for specific needs.
- Included in the internationally acclaimed ISO 27001 Toolkit: Access a comprehensive suite of templates and resources to streamline your entire implementation process.

Mistakes for ISO 27001 Clause 4.3
Defining an Overly Broad Scope:
The Problem: Including unnecessary areas within the scope of your ISMS can lead to wasted time, resources, and unnecessary costs.
Solution: Carefully consider and document the specific products, services, and areas that require information security controls.
Neglecting Client Expectations:
The Problem: Failing to consider client expectations and requirements within the scope of your ISMS can diminish the value of your certification.
Solution: Involve clients in the scope definition process to ensure your ISMS addresses their specific needs and concerns.
Poor Scope Management:
The Problem: Inadequate documentation, version control, and review of the scope statement can lead to confusion and non-compliance.
Solution:
Maintain accurate and up-to-date records of the scope statement.
Implement a robust version control system.
Regularly review and update the scope statement to reflect changes in the organisation or its environment.
ISO 27001 Clause 4.3 FAQ
No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.
Not a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?
The ISO 27001 scope defines the boundaries of your organisation’s Information Security Management System (ISMS). It outlines the specific areas of your organisation, information assets, and activities that are covered by the ISMS.
Getting the ISO 27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.
A well-defined scope helps focus resources, ensures effective risk management, streamlines audits, enhances stakeholder communication, and improves internal awareness.
Yes, using an ISO 27001 Scope Template can help you efficiently define and document the scope of your ISMS.
Conduct thorough risk assessments, analyse stakeholder needs, and consider the organisation’s overall business objectives.
Yes, you can exclude certain areas from the scope of your ISMS. However, you must clearly document the reasons for exclusion and ensure that these exclusions do not significantly impact the overall security posture of the organisation.
Key stakeholders should be involved, including senior management, IT personnel, legal and compliance officers, and representatives from relevant departments.