ISO 27001 Determining The Scope 

Home / ISO 27001 / ISO 27001 Determining The Scope 

Introduction

Hello! ISO 27001 Ninja here and today we are going to be looking at ISO 27001 Clause 4.3 determining the scope of the isms, determining the scope of the information security management system. We’re going to take a deep dive we’re going to look at what the requirements of the standard are, we’re going to look at how you can implement it, we’re going to look at what auditors are going to look for, we’re going to look at the common mistakes that you make, we’re going to make sure that you are 100% successful when it your delivery of ISO 27001 clause 4.3 determining the scope of the information security management system. So, let’s take a deep dive straight in.

Determine ISO 27001 Scope Blog

On my blog, on hightable.io, my website, there is a menu item, go along the menu item to ‘learn’ click ‘learn’, drop down and in there you are going to see blogs, guides to every single ISO 27001 clause, you’re going to see guides to every single ISO 27001 Annex A control, you’re going to see a lot of detailed information. All of it for free, everything I do I give away for free on there. I’ve done a number of different blogs on how to define scope and how to implement scope. Be sure to check them out.

How to determine ISO 27001 Scope

So, let’s look at how do we determine Scope? When it comes to determining the scope of the information security management system what we have to do is we have to understand what it is that our customers and our clients are wanting from us? It is rare that you would determine the scope of your information security management for certification to be the entirety of your organisation. It is good practice to apply the isms to your whole organisation but when it comes to certification we’re going to narrow that down.

Whey we narrow the scope

A couple of reasons why we want to do that. We only have limited resources, we have limited time, we have limited money, we have limited people, and it is quite a bureaucratic documentation heavy standard, so the more things we include in it, the more work, the more hoops, that we’re going to have to jump through. Also, what we want to do is we want to create an output that is of value to the people that are asking us for it. So, when people ask us for an ISO 27001 certificate they’re specifically asking for it because they want assurances that we are doing the right thing for information security in relation to the products and services that they are buying from us. So, it is pointless if we are a SAS online platform delivering payroll, HR, whatever it may be, finance systems, whatever and we have a 27001 certificate for our storeroom cupboard, that’s not going to cut the mustard.

The way we go about it

So when we determine our scope the way that we go about it, first of all is we look at the products and services that we have and then we look at what it is that our customers are asking of us. So that can be by asking them, what is it that you think we should be certified for? Nine times out of 10 they’ve already told you though and that’s the reason that you’re here and that’s the reason that you’re going for your ISO 27001 certificate. You can also look at your contracts what are the contracts that you have in place with your customers what are the products and services that they, that they have and what are they buying from you and do any of those contracts that you’ve got stipulate that you need ISO 27001 and for what. So, we’re going to go about defining what our ISO 27001 scope is.

The purpose of ISO 27001 Determining The Scope 

If we look at the purpose of ISO 27001 Determining The Scope, the purpose is to make sure that you have considered and defined the scope of your information security management system in line with the requirements of the standard. I add on the caveat – and the requirements of your customers and clients – because I think that’s slightly more important than the standard.

The definition of ISO 27001 Determining The Scope 

What I want to do here is give you the definition. So, the book definition – the ISO 27001 standard defines ISO 27001 Determining The Scope as – the organisation shall determine the boundaries and the applicability of the information security management system to establish its Scope. When determining that scope, the organisation shall consider, now in previous blogs we’ve covered these, and in previous videos we’ve covered these, but we have to consider when defining our scope, internal and external issues.

Those internal and external issues that we defined, and we went through in Clause 4.1, they’re going to be important. We have to make sure that we take those into consideration defining scope.

We also have to take into consideration the requirements of interested parties. So, you remember in a previous video and in the previous blog – ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties Ultimate Certification Guide – we looked at 4.2 understanding the needs and expectations of interested parties. We need to make sure that they are referenced and understood when it comes to defining our scope.

Within our scope as well we draw a box around the thing, whatever it is that we’re certifying we, we draw a virtual box an imaginary box and we create our boundary but what we also need to do is understand and document the interfaces and dependencies between our activities and those of a third party, so that could be where are the infrastructural boundaries, where are the process boundaries, the technical, virtual boundaries. We need to understand and define the interfaces and independences between us and other people.

So, we can see that a lot of the work that we’ve done already has led us here, each of the Clauses that we go through each of the videos that we go through is going to build upon the previous one and move us forward along that journey.

The requirement of ISO 27001 Determining The Scope

So, what is the requirement of ISO 27001 Determining The Scope? It forms part of the overall ISO 27001 Clause 4 context of organisation, this context of organisation, high level Clause 4, that’s looking at who we are, do we know what our boundaries, are do we know who our interested parties are, do we know what the issues are, the internal the external issues. This forms part of clause 4 the context of the organisation.

ISO 27001 Determining The Scope Templates

What we’re going to do is, we can do is, we can implement this through templates. I released the ultimate ISO 27001 toolkit onto the market of course, do I have the most aggressively cost effective, the most ruthlessly efficient toolkit on the market today? Absolutely I have and totally unique in the marketplace I also released individual ISO 27001 templates for a ridiculously low cost. You can actually download individual templates for which there is one for this, so there is an ISO 27001 scope template with examples already in it, already laid out and structured in a way with a guide and a specific implementation video that goes with it so be sure to check out hightable.io to find that template and it’s going to help you in this Clause no end.

ISO 27001 Scope Document Template

DO IT YOURSELF

ISO 27001

ISO 27001 Toolkit Business Edition

The steps to define ISO 27001 scope

If you’re not going to go ahead and get the template that’s absolutely fine that’s, absolutely fine, let me give you the steps that you’re going to go through to define your scope. So, number one you are going to list your products and services, list out all of the products and services that you deliver and as your customer would know them. So here I want everything, I want everything on a board, then ask your customer and clients which products and services they would expect to be ISO 27001 certified. This can be straightforward, you may already have been asked, you may already have a definition, but let’s take that list of all of the things that you do and work out which are the ones that it is that your clients require you to be certified for. As a rule, it tends to be one or two, it’s probably going to be, yeah, one of your major uh services or products then what I need you to do and what you are going to do is step three is you’re going to implement your documentation, so you’re going to document your scope, so formally document your scope as part of documenting your scope. Again, within the template best practice for me is to include everything that’s in scope and everything that’s out of scope so as I said at the beginning it may well be that your information security management system applies to your entire organisation that’s fine, it makes sense, but for certification scope what we want to do is define what’s in and what’s out. We want to be crystal clear in our understanding of what it is that we are actually certifying against.  

The documentation required

There are layers of documentation that I would expect to see within that definition of scope that supports our scope. The first one is the high-level scope statement, the ISO 27001 scope statement is the statement that goes on your ISO 27001 certificate, it’s probably the first question that you’re going to be asked by the certification body when you go to book your certification audit, what is your scope statement? So, getting that right getting, getting that crafted is absolutely fundamental and key. What I would then say and if I was working with client was let’s build up some additional documentation around that – in scope out of scope people, in scope out of scope technologies, networks, locations. So, let’s work through what it is that we have and work out what is in and what is out of scope. I would include in there documentation right I would expect to see architectural diagrams and documentation to a level that’s appropriate to you but increasing in detail, through a series of documentation steps, what does that? what does that …. That sounds like … okay what does that mean Stuart? What that means is high level you’re going to have an architecture diagram, super high level, it could be blobs, it could be squares, that lays out the products and services that you’ve got. Underneath that you’re going to start to break that down, you’re going to break that down, maybe into a server diagram, virtual server diagram, physical server diagram. It’s going to show where you’ve got your primary servers, your data stores, your databases, underneath that I would expect to see a network diagram, how is your network lay, how does your network lay out, what are the interdependencies between your networks. By creating that level of documentation that you should have already you can start to draw your virtual boundary around the things that are in and the things that are out. What I’m going to do then is once I’ve got all of that in place I’m going to review it and I’m going to approve it. What do I mean by that? I mean I’m going to take that to the management review meeting or the structure that approves and signs off documentation, we will get to the management review meeting in another video and the mechanism but we are going to review it. We’re going to have a body within our organisation review it and approve it and formally document that we have approved it.

Example ISO 27001 Scope Statement

Do I have an example of an ISO 27001 scope statement? Of course, I do. 

So High Table is ISO 27001 UKAS accredited. We’ve been through that formal process and on our 27001 certificates uh let me read for you what, what, what our uh certification statement is – information security consultancy and virtual Chief Information Security Officer services in accordance with the statement of applicability version 1.2. So, what you can see here is that it’s quite a very succinct scope statement right. It is what goes on the certificate and it lays out exactly what it is that we provide and that I provide and it makes reference to the thing called the statement of applicability and its current version.

How to pass an audit of ISO 27001 Determining The Scope

How do I pass an audit? To pass an audit you’re going to implement the what, you’re going to implement what I’ve just said, once you’ve implemented that, you’re going to conduct an internal audit, you’re going to pass your own internal audit and then you’re going to go for certification.

3 Things an Auditor will check

When you go for your certification your auditor is going to check a number of different things but high level let’s look at three things that an auditor will look for. In terms of this particular Clause they’re going to look for whether or not you’ve documented your scope right it’s all well and good having a scope ISO 27001 is a standard that if it isn’t written down it doesn’t exist, so they’re going to check that you have your scope written down. 

Ideally in the ISO 27001 Scope template that you’ve downloaded and used from me but if not in a similar format. There’s videos and guides on it so you can copy it if you need to or FAST TRACK by doing the download. Then they’re going to want to make sure that you’ve implemented it and that you’ve implemented the standard. So they’re going to look at the scope they’re going to look at the standard and they’re going to apply the standard to the scope right, that’s the entire purpose of ISO 27001 certification and then they’re going to look that that scope has been approved so evidence is that you as a group have approved it, not just the it manager has decided what it is, not just the information security manager has decided what is, but that you as an organisation have followed your internal processes that we are going to define and that you have approved that scope.

3 Mistakes that people make

Let’s look at three mistakes that people make. Three common mistakes that  people make when it comes to scope, not going to surprise you, one is you got your scope wrong. Getting your scope wrong is absolutely devastating, I say it’s devastating because the amount of cost, time and effort that you are going to go through to do something you didn’t need to do is going to be absolutely phenomenal. It is important in the early stage is to get that scope right, narrow down that that focus and narrow down those resources. I say again it may well be that you apply the management system to the entire organisation but the rigour, the rigour, required for 27001 can be quite high, so you want to get that scope right.

The second mistake that people make is they scope it but they didn’t scope it based on client need, they didn’t listen, they didn’t listen to the client, they picked a scope that they thought would be easy for them. Now if you get the scope wrong in the eyes of the client the certificate becomes useless and pointless. They are using the certificate specifically to look at you and gain assurances that you are doing the right thing if you can’t offer them a certificate that says what it is that they’ve bought from you and gives them assurances that that is being covered by Information Security Management then you might as well not give them anything.

So, you want to make sure that your scope into client need, don’t get it wrong, scope a client need and the third one is that your document and Version Control is wrong and that’s about documentation housekeeping which I’ve covered many times I’m not going to cover again on here.

Who is responsible for ISO 27001 Clause 4.3

So, when it comes to the responsibility who is responsible? Who is responsible when it comes to getting the scope? Senior Management and Leadership. 

You know ISO 27001 is a top-down standard, it is about leadership demonstrating that they are leading. The buck stops with them ultimately, so you want to get that accountability written into your management system. They’re accountable for it, the doing is probably going to land with the information security manager and the IT manager, typically, you know whether that’s right or wrong, but that’s where that’s going to land.

Conclusion

Get your scope right, listen to your client, don’t get it wrong, document it, take into consideration your internal and external issues, the needs of your interested parties and be able to show through documentation the boundaries and interdependencies with third parties and you are going to be absolutely golden. So be sure to subscribe to my ISO 27001 YouTube channel. I am very needy. I like your support but also by subscribing you’re going to get access to a wealth of free information, all my information is for free, so be sure to subscribed to my ISO 27001 channel. I am Stuart Barker. I am the ISO 27001 Ninja. That was determining the scope and I will see you on the next one but for now peace out

ISO 27001 Toolkit Business Edition

Do It Yourself ISO 27001