ISO 27001 Determining Scope Of The Information Security Management System

Home / ISO 27001 / ISO 27001 Determining Scope Of The Information Security Management System

hi I’m Stuart Barker, the ISO 27001 Ninja. This is going to be a deep dive into ISO 27001 Determining Scope Of The Information Security Management System, looking at how you should implement it, what the requirements are, what an audit is going to look for, what the mistakes are, the common mistakes that people make.

Also be sure to subscribe to my ISO 27001 YouTube Channel.


Determine ISO 27001 Scope

So, let’s look at how do we how to determine ISO 27001 Scope. When it comes to determining the scope of the Information Security Management System (ISMS) what we have to do is we have to understand what it is that our customers and our clients are wanting from us. It is rare that you would determine the scope of your information security management for certification to be the entirety of your organisation. It is good practice to apply the isms to your whole organisation but when it comes to certification we’re going to narrow that down. A couple of reasons why we want to do that, why we narrow the scope.

We only have limited resources, we have limited time, we have limited money, we have limited people, and it is quite a bureaucratic documentation heavy standard, so the more things we include in it, the more work, the more hoops, that we’re going to have to jump through.

Also, what we want to do is we want to create an output that is of value to the people that are asking us for it. So, when people ask us for an ISO 27001 certificate they’re specifically asking for it because they want assurances that we are doing the right thing for information security in relation to the products and services that they are buying from us. So, it is pointless if we are a SAS online platform delivering payroll, HR, whatever it may be, finance systems, whatever and we have an ISO 27001 certificate for our storeroom cupboard, that’s not going to cut the mustard. So when we determine our scope the way that  we go about it, first of all is we look at the products and services that we have and then we look at what it is that our customers are asking of us. So that can be by asking them, what is it that you think we should be certified for? Nine times out of 10 they’ve already told you though and that’s the reason that you’re here and that’s the reason that you’re going for your ISO 27001 certificate. You can also look at your contracts what are the contracts that you have in place with your customers what are the products and services that they, that they have and what are they buying from you and do any of those contracts that you’ve got stipulate that you need ISO 27001 and for what. So, we’re going to go about defining what our ISO 27001 scope is.

The purpose of ISO 27001 Determining Scope Of The Information Security Management System

If we look at the purpose of ISO 27001 Determining Scope Of The Information Security Management System, it is to make sure that you have considered and defined the scope of your information security management system in line with the requirements of the standard. I add on the caveat – and the requirements of your customers and clients – because I think that’s slightly more important than the standard.  

The definition of ISO 27001 Determining Scope Of The Information Security Management System

So, the book definition.

The ISO 27001 standard defines ISO 27001 Clause 4.3 as the organisation shall determine the boundaries and the applicability of the information security management system to establish its Scope. When determining that scope, the organisation shall consider, now in previous blogs we’ve covered these, and in previous videos we’ve covered these, but we have to consider when defining our scope, internal and external issues. Those internal and external issues that we defined, and we went through in ISO 27001 Clause 4.1 Understanding the Organisation and Its Context, they’re going to be important. We have to make sure that we take those into consideration defining scope. We also have to take into consideration the requirements of interested parties. So, you remember in a previous video and in the previous blog we looked at ISO 27001 Clause 4.2 understanding the needs and expectations of interested parties. We need to make sure that they are referenced and understood when it comes to defining our scope.

Within our scope as well we draw a box around the thing, whatever it is that we’re certifying we, we draw a virtual box, an imaginary box and we create our boundary but what we also need to do is understand and document the interfaces and dependencies between our activities and those of a third party , so that could be where are the infrastructural boundaries, where are the process boundaries, the technical, virtual boundaries.

We need to understand and define the interfaces and independences between us and other people. So, we can see that a lot of the work that we’ve done already has led us here, each of the clauses that we go through each of the videos that we go through is going to build upon the previous one and move us forward along that journey.

Requirement of ISO 27001 Determining Scope Of The Information Security Management System

So, if we look at what is the requirement of Determining Scope Of The Information Security Management System? It forms part of the overall ISO 27001 Clause 4 context of organisation, this context of organisation, high level Clause 4, that’s looking at who we are, do we know what our boundaries are, do we know who our interested parties are, do we know what the issues are, the internal the external issues. This forms part of clause 4 the context of the organisation.

We can implement this through templates.

ISO 27001 Determining Scope Of The Information Security Management System Templates

I released  the ultimate ISO 27001 toolkit onto the market of course, do I have the most aggressively cost effective, the most ruthlessly efficient toolkit on the market today, absolutely I have and totally unique in the marketplace I also released individual templates for a ridiculously low cost. You can actually download individual templates for which there is one for this, so there is an ISO 27001 Scope Template with examples already in it, already laid out and structured in a way with a guide and a specific implementation video that goes with it so be sure to check out the ISO 27001 Template Store to find that template and it’s going to help you in this Clause no end.

ISO 27001 Scope Document Template

The steps to define ISO 27001 scope

If you’re not going to go ahead and get the template that’s absolutely fine that’s, absolutely fine, let me give you the steps that you’re going to go through to define your scope.

So, number one you are going to list your products and services, list out all of the products and services that you deliver and as your customer would know them. So here I want everything, I want everything on a board

Then ask your customer and clients which products and services they would expect to be ISO 27001 certified. This can be straightforward, you may already have been asked, you may already have a definition, but let’s take that list of all of the things that you do and work out which are the ones that it is that your clients require you to be certified for. As a rule, it tends to be one or two, it’s probably going to be one of your major services or products.

Then what I need you to do and what you are going to do is step three is you’re going to implement your documentation, so you’re going to document your scope, so formally document your scope as part of documenting your scope. Again, within the template best practice for me is to include everything that’s in scope and everything that’s out of scope so as I said at the beginning it may well be that your information security management system applies to your entire organisation that’s fine, it makes sense, but for certification scope what we want to do is define what’s in and what’s out. We want to be crystal clear in our understanding of what it is that we are actually certifying against.

The documentation required

There are layers of documentation that I would expect to see within that definition of scope that supports our scope.

The first one is the high-level scope statement , the ISO 27001 Scope Statement is the statement that goes on your ISO 27001 certificate, it’s probably the first question that you’re going to be asked by the certification body when you go to book your certification audit, what is your scope statement? So, getting that right getting, getting that crafted is absolutely fundamental and key.

What I would then say and if I was working with client was let’s build up some additional documentation around that – in scope out of scope people, in scope out of scope Technologies, networks, locations. So, let’s work through what it is that we have and work out what is in and what is out of scope.

I would include in there documentation, I would expect to see architectural diagrams and documentation to a level that’s appropriate to you but increasing in detail, through a series of documentation steps, what does that? what does that …. That sounds like … okay what does that mean Stuart? What that means is high level you’re going to have an architecture diagram, super high level, it could be blobs, it could be squares, that lays out the products and services that you’ve got. Underneath that you’re going to start to break that down, you’re going to break that down, maybe into a server diagram, virtual server diagram, physical server diagram. It’s going to show where you’ve got your primary servers, your data stores, your databases, underneath that I would expect to see a network diagram, how is your network laid out, how does your network lay out, what are the interdependencies between your networks. By creating that level of documentation that you should have already you can start to draw your virtual boundary around the things that are in and the things that are out.

What I’m going to do then is once I’ve got all of that in place I’m going to review it and I’m going to approve it. What do I mean by that? I mean I’m going to take that to the management review meeting or the structure that approves and signs off documentation, we will get to the management review meeting in another video and the mechanism but we are going to review it. We’re going to have a body within our organisation review it and approve it and formally document that we have approved it. Do I have an example of an ISO 27001 scope statement? Of course, I do. 

Example ISO 27001 Scope Statement

So High Table is ISO 27001 UKAS accredited. We’ve been through that formal process and on our 27001 certificates let me read for you what, what, what our certification statement is – information security consultancy and virtual Chief Information Security Officer services in accordance with the statement of applicability version 1.2.

So, what you can see here is that it’s quite a very succinct scope statement. It is what goes on the certificate and it lays out exactly what it is that we provide and that I provide and it makes reference to the thing called the statement of applicability and its current version. We’re going to do another video we’re going to come to the statement of applicability so don’t worry about that, for now, just know that on my website you have in this blog which I’m going to link below – example statements, examples that you can use, that you can take, that you can adapt them, that you can craft, so I’ve done some of the hard work for you. How do I pass an audit?


ISO 27001

ISO 27001 Toolkit Business Edition

How to pass an audit of ISO 27001 Determining Scope Of The Information Security Management System

To pass an audit you’re going to implement the what, you’re going to implement what I’ve just said, once you’ve implemented that, you’re going to conduct an internal audit, you’re going to pass your own internal audit and then you’re going to go for certification.

3 Things an Auditor will check

When you go for your certification your auditor is going to check a number of different things but high level let’s look at three things that an auditor will look for. In terms of ISO 27001 Determining Scope Of The Information Security Management System they’re going to look for whether or not you’ve documented your scope, it’s all well and good having a scope ISO 27001 is a standard that if it isn’t written down it doesn’t exist, so they’re going to check that you have your scope written down. Ideally in the ISO 27001 Scope Template that you’ve downloaded and used from me but if not in a similar format. There’s videos and guides on it so you can copy it if you need to or FAST TRACK by doing the download.

Then they’re going to want to make sure that you’ve implemented it and that you’ve implemented the standard. So they’re going to look at the scope they’re going to look at the standard and they’re going to apply the standard to the scope, that’s the entire purpose of ISO 27001 certification.

Then they’re going to look that that scope has been approved so evidence is that you as a group have approved it, not just the it manager has decided what it is, not just the information security manager has decided what is, but that you as an organisation have followed your internal processes that we are going to define and that you have approved that scope.

Let’s look at three mistakes that people make.

3 Mistakes that people make

Three common mistakes that people make when it comes to scope, not going to surprise you, one is you got your scope wrong. Getting your scope wrong is absolutely devastating, I say it’s devastating because the amount of cost, time and effort that you are going to go through to do something you didn’t need to do is going to be absolutely phenomenal. It is important in the early stage is to get that scope right, narrow down that that focus and narrow down those resources. I say again it may well be that you apply the management system to the entire organisation but the rigor, the rigor required for 27001 can be quite high, so you want to get that scope right.

The second mistake that people make is they scope it but they didn’t scope it based on client need, they didn’t listen, they didn’t listen to the client, they picked a scope that they thought would be easy for them. Now if you get the scope wrong in the eyes of the client the certificate becomes useless and pointless. They are using the certificate specifically to look at you and gain assurances that you are doing the right thing if you can’t offer them a certificate that says what it is that they’ve bought from you and gives them assurances that that is being covered by Information Security Management then you might as well not give them anything. So, you want to make sure that your scope into client need, don’t get it wrong, scope a client need

The third one is that your document and Version Control is wrong and that’s about documentation housekeeping which I’ve covered many times I’m not going to cover again on here.

Who is responsible for ISO 27001 Determining Scope Of The Information Security Management System

Who is responsible when it comes to getting the scope? Senior Management and Leadership. You know ISO 27001 is a top-down standard, it is about leadership demonstrating that they are leading. The buck stops with them ultimately, so you want to get that accountability written into your management system. They’re accountable for it, the doing is probably going to land with the information security manager and the IT manager, typically, you know whether that’s right or wrong, but that’s where that’s going to land.


Get your scope right, listen to your client, don’t get it wrong, document it, take into consideration your internal and external issues, the needs of your interested parties and be able to show through documentation the boundaries and interdependencies with third parties and you are going to be absolutely golden.

Be sure to subscribe to my ISO 27001 YouTube Channel, I am very needy, I need followers but you’re going to be in a good company as videos are watched tens of thousands of times and we we’re approaching thousands of followers on there. Now, I look forward to talking to you and educating you and sharing my knowledge and wisdom.

I am Stuart Barker. I am the ISO 27001 Ninja. That was determining the scope and I will see you on the next one but for now peas out.

ISO 27001 Toolkit Business Edition

Do It Yourself ISO 27001