The Ultimate Guide To ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.3 Determining the scope of the information security management system

In this article we lay bare ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.

What is ISO 27001 Clause 4.3 Determining the scope of the information security management system?

ISO 27001 has a list of requirements that it calls clauses and this is one of those clauses that need to met. If we are going to implement ISO 27001 and go for ISO 27001 certification then this is one of the first, and main, clauses that we want to address.

What is the requirement of ISO 27001 Clause 4.3?

This clause forms part of ISO 27001 Clause 4 Context of Organisation.  We have looked at ISO 27001 Clause 4.1 Understanding the Organisation and it’s context to identify internal issues, external issues in ISO 27001 Clause 4.2 we looked at interested parties and their needs.

In ISO 27001 Clause 4.3 we are looking at determining the scope of the information security management system.

What does the standard say about ISO 27001 Clause 4.3?

ISO 27001 defines clause 4.3 as:

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.
“When determining this scope, the organisation shall consider:


a) the external and internal issues referred to in 4.1
b) the requirements referred to in 4.2
c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.

ISO 27001 Clause 4.3

So we can see the work we have already done in previous clauses is not in vain and has the additional purpose of influencing the scope decisions we make.

How to define ISO 27001 Scope

Scope is vitally important. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what will go on our ISO 27001 certificate. This is a little tricker to work out but we have provided a detailed, easy to follow guide on How To Define ISO 27001 Scope. It includes an ISO 27001 Scope Statement Template that is part of the ISO 27001 templates toolkit.

Example ISO 27001 Scope Statement

If you are wondering what a good scope statement looks like, then this is taken directly from our ISO 27001 certification, by way of example.

Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2

High Table ISO 27001 Scope Statement

You can see in the example we have first laid out the products / services that we offer and that are in scope and we have referenced our Statement of Applicability and it’s version. The statement of applicability is the list of controls that we have implemented. A nice simple scope statement.

ISO 27001 Clause 4.3 Template

The ISO 27001 Documented Scope Template is a great document to help to define and document scope. A quick and effective way to satisfy the requirements of this clause of the standard.

Part of the ISO 27001 Templates Toolkit but also available to download individually.

How to comply with ISO 27001 Clause 4.3

Time needed: 1 day.

How to comply with ISO 27001 Clause 4.3 Determining the scope of the information security management system

  1. List your products and services

    List out all of your products and services as your customer would know them

  2. Ask your customer and clients which products and services they would expect to be ISO 27001 certified

    Speaking with your clients they will tell you what their expectations are. You can examine existing contracts and look at existing questionnaires that you have been sent. All of these will lead you to an understanding of what should be in scope. If the answer is – everything then you can look to prioritise the list based on what is most commercially beneficial to you and start there. It is ok to start small and increase the scope over time as you become comfortable with the process and the requirements.

  3. Document your ISO 27001 Scope

    Formally document your ISO 27001 scope. You will want to record your ISO 27001 Scope Statement which is the statement that will go on your final ISO 27001 certificate. It is also good practice to think about the people, processes, technology and locations that are needed to support the in scope products and services and which will therefore naturally fall in scope of the ISO 27001 certification. Explicitly stating what is out of scope can be good practice and help with your internal management.

  4. Review and Approve the ISO 27001 scope

    At the next management review meeting be sure to share and review the ISO 27001 scope. Getting agreement on the scope and formally documenting the agreement in the meeting minutes.

ISO 27001 Clause 4.3 FAQ

Should the entire organisation be in scope for ISO 27001 certification?

No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation if it is not needed will put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and/ or services that are relevant to your customers and clients. You can even narrow the scope to a subset of that and prioritise for year 1 with a view to extending scope once you are comfortable with the process and what is involved. Do not over complicate it.

How do I define ISO 27001 certification scope?

The simple answer is that scope is defined exactly by what your customers and clients are asking you to do be in scope. This is the products and services that you provide that they expect to have an ISO 27001 certification. No more. No less. Focus your scope on what you are being asked for commercially and will bring you the most commercial benefits.

What is the impact if I get ISO 27001 scope wrong?

Getting the ISO 27001 scope wrong can lead to you not meeting the requirements of your customers and clients. If this happens the entire exercise will be a wasted journey. In addition if you increase the scope beyond what is required you introduce a lot of effort and bureaucracy your organisation could otherwise have avoided. This can lead to lost time and lost profits. Be sure you spend time on this part of the process to get it right. If in doubt, ask your clients what they expect of you. They will tell you. This is your focus. This is your scope.

ISO 27001 Scope Statement example?

The following is a good example of an ISO 27001 scope statement
Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2
This is taken directly from the High Table ISO 27001 Scope Statement

ISO 27001 Scope template?

You can download the ISO 27001 scope statement template here: https://hightable.io/product/iso-27001-scope-document-template/

The Requirements for ISO 27001 Certification

ISO 27001 Strategy Session
ISO 27001 ISO 27001 Toolkit
ISO 27001 Policy Bundle

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Stuart Barker

About the Author

Stuart Barker

Stuart is an ISO 27001 Consultant and author of the ISO 27001 Templates Toolkit. Over 20 years he has helped hundreds of organisations with the ISO 27001 standard and getting them ISO 27001 certification with a 100% success rate.

Shopping Cart