Introduction
In this tutorial we will cover ISO 27001 Scope.
You will learn what ISO 27001 Scope is and how to implement it.
Table of contents
ISO 27001 Scope
To determine the scope of your Information Security Management System (ISMS) you need to understand what your customers and clients want you to be ISO 27001 certified for.
It is rare that you would determine the scope of your information security management for certification to be the entirety of your organisation. It is good practice to apply the isms to your whole organisation but when it comes to certification you are going to narrow that scope.
The reasons why you narrow the scope:
- You have limited resources: you have limited time, money, people.
- You want to create an output that is of value to the people that are asking us for it. They want assurances that you are doing the right thing for information security in relation to the products and services that they are buying from you.
ISO 27001 Templates
The ISO 27001 Scope Template is complete with examples and laid out and structured in a way.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Implementation Guide
List your products and services
List out all of the products and services that you deliver and as your customer would know them. This will give you a complete list of everything that you offer.
Ask your customers
Ask your customer and clients which products and services they would expect to be ISO 27001 certified.
This can be straightforward as you may already have been asked.
Take that list of all of the things that you do and work out which ones your clients require you to be certified for.
Document Your Scope
Implement your documentation and document your scope.
Formally document your scope to include everything that’s in scope and everything that’s out of scope.
Your information security management system may apply to your entire organisation and that’s fine, it makes sense, but for certification scope – define what’s in and what’s out.
Ensure that you are crystal clear in your understanding of what it is that you are actually certifying against.
The documentation required
There are layers of documentation in the definition of scope:
- The high-level scope statement: the ISO 27001 Scope Statement is the statement that goes on your ISO 27001 certificate, it’s probably the first question that you’re going to be asked by the certification body when you go to book your certification audit. Getting that right getting, getting that crafted is absolutely fundamental and key.
- In scope out and of scope: this is the details on scope for people, technologies, networks, locations.
- Supporting documents: these include architectural diagrams and technical documentation to a level that’s appropriate to you but increasing in detail, through a series of documentation steps.
Example ISO 27001 Scope Statement
High Table is ISO 27001 UKAS accredited. We’ve been through that formal process and on our ISO 27001 certificate – information security consultancy and virtual Chief Information Security Officer services in accordance with the statement of applicability version 1.2.
It’s a succinct scope statement. It is what goes on the certificate and it lays out exactly what it is that we provide making reference to the thing called the ‘statement of applicability’ and its current version.
You can read more detailed information in the ISO 27001 Statement of Applicability: Ultimate Guide