The audit scope defines the boundaries of an organisation’s Information Security Management System (ISMS) and specifies exactly what will be included in the ISO 27001 certification or audit. It’s a formal statement that clearly outlines which parts of the business are covered by the ISMS, and which are not.
Key Components of an Audit Scope
A well-defined scope is critical because it ensures that the ISMS is focused, manageable, and aligns with the organisation’s business objectives. An audit scope typically details:
- Organisational Units: Which departments, teams, or business functions are included.
- Physical Locations: The specific buildings, offices, or data centers that are in scope.
- Technologies & Systems: The hardware, software, and IT systems covered. This can include on-premise infrastructure, cloud services, and specific applications.
- Processes & Services: The key business processes, products, or services that fall under the ISMS.
Example Scope Statement
The Information Security Management System (ISMS) covers the development, operation, and support of the company’s cloud-based [application], including all related IT infrastructure, data centres, and personnel located at the [City, Country] headquarters.
ISO 27001 Context
Defining the audit scope is a mandatory requirement under ISO 27001 Clause 4.3: Determining The Scope Of The Information Security Management System. It’s a foundational step that must be based on the organisation’s context (ISO 27001 Clause 4.1: Understanding the Context of the Organisation) and the needs of interested parties (ISO 27001 Clause 4.2: Understanding The Needs And Expectations of Interested Parties). An auditor will use this scope statement to determine what they need to examine during the certification audit.
