How to define your scope statement in ISO 27001

Defining the scope of your Information Security Management System (ISMS) is the most crucial part of implementing the ISO 27001 standard. The scope statement is defined in section 4.3 of the ISO/IEC 27001, the 2013 version.

The purpose of an ISMS scope is to describe the information and processes you intend to protect. It can also inform interested parties such as stakeholders, customers, auditors, staff, and top management about the specific areas of your organisation included in your ISMS. The concept behind the scope statement is to help you understand the following:

• Laws and regulations you must adhere to
• Interfaces and dependencies you have with other models
• Internal and external issues relevant to your ISMS information security
• Processes and security controls needed to operate your business

The importance of setting the ISO 27001 scope

The role of the ISMS scope is to identify the boundaries of your information security system. If you set your ISMS scope correctly, you can illustrate the establishment of your information security strategy. This can also allow you to negotiate deals and even get a higher rating from your bank.

How to set your ISMS scope

When defining your scope, you need to consider the organisation, products and services, subsidiaries, physical locations, divisions, systems, departments, and processes of your scope. This is important because your risk assessment work and information assurance rely on those parts of your business that need to be covered.

There are scoping requirements provided by the ISO 27001 standard that need to be considered when defining your scope. The first thing to consider is the reason for implementing the ISMS. The forces behind ISMS implementation may include identified growth opportunities tied to ISMS certification, a push from the board of directors, or customer requests. The ISMS implementation will likely present internal and external contexts that could guide the scoping evaluation.

When setting your ISMS scope, you should consider the following factors:

• Your security goals and risks – You need to identify the reason behind your ISO 27001 certification. Identify the problems you intend to solve and decide how a security framework can support you. Most people get certified to reduce the workload of audits, have a competitive advantage, reduce the risk of security threats, comply with laws and regulations, understand security risks, and more.
• The organisation’s key processes – An effective ISMS model should cover the organisation’s core processes and be able to prevent and reduce the risk of security threats.
• Available ISO certifications – Another thing to consider is whether you have other ISO certificates that can integrate with your upgrade. For instance, if you already have an ISO 9001 certificate, you may want to align it with your ISO 27001 ISMS scope.
• Supportive processes – Describes the additional procedures and processes you may need to run your business. These processes may include IT, procurement, developer, or HR support.

The final step is to document your scope. This is important because the decisions you make about your information security are integrated with your scope document. This document often includes the organisation’s context, relevant laws and regulations, interested parties, the scope of the ISMS, and standards for information security.

Contact Citation Certification for help

At Citation Certification, we are a JAS-ANZ certified ISO standards certification body dedicated to providing ISO certification globally. We offer various in-house and online training programs and certificates to ISO 27001. Get in touch with us today to learn more about how we can help you get ISO certification and define your ISMS scope.