ISO 27001 scope statement guide

Since its last update, the ISO 27001 scope is greatly discussed as it introduces new concepts such as dependencies and interfaces. In this article, we will talk about the purpose of the ISO 27001 scope, bust some myths, and explain some requirements, so that your Information Security Management System (ISMS) is customised and efficient.

The purpose of ISO 27001 scope

The main purpose of writing a scope statement is to define what information your organisation intends to protect. Without identifying what information needs to be protected, the functionality of the ISMS will remain basic. However, with a well-defined scope statement, the ISMS team in your organisation will understand what sensitive information needs to be prioritised and protected, allowing them to build customised risk treatment plans that appropriately mitigate all issues surrounding this data.

If the scope statement is not written in an appropriate manner, meaning that it is less descriptive or narrow, the ISMS functionality will be negatively impacted.

Additionally, this will also impact your ISO 27001 compliance. The lead auditors from the certification body will not understand the boundaries and applicability of the ISMS, making their auditing efforts futile and prolonging your certification period.

In many cases, the certification auditor begins by checking the elements of the ISMS scope statement, long before he or she checks the departments or systems. So, if your scope statement is not adequate, your application would be rejected in the first round of the certification audit.

Requirements of ISO 27001 regarding the scope

The ISO 27001 clauses states that the following steps need to be taken into account when defining the scope:

The internal and external issues identified in clause 4.1

When the company is defining the context of the organisation, they need to identify all internal and external issues that could impact the performance of the management system. Here, internal issues include all factors that are within the control of the organisation, such as the internet surfing habits of employees, how they utilise their personal devices, data storage policies, organisational culture, security policies, et cetera.

External issues refer to all factors that are not under the control of the organisation including social factors, political factors, market trends, new viruses, etc.

The requirements defined in clause 4.2

This includes all the expectations and needs of relevant interested parties. When any information security policy is being developed or steps are taken to mitigate any risks, it is important to consider how relevant parties may be affected. This will help business owners mitigate any upcoming resistance. Additionally, the expectations of all relevant parties regarding how sensitive data is handled should be the core of policies and the scope statement.

As a general rule of thumb, relevant stakeholders wish that sensitive data remains integral, confidential, authentic, yet available for updates and accessible to authorised parties.

Interfaces and dependencies

Dependencies are any processes that are indirectly impacted by the ISMS and interfaces are processes that support the appropriate functioning of the ISMS. 

In addition to this consideration, you should include a short description of your location in your ISMS scope document. Additionally, utilising charts to describe organisational units would be helpful in visualising how your ISMS functions, helping both the ISMS team and the lead auditor understand how processes are interrelated with each other.

The biggest myths about the ISMS scope

When you are writing your scope statement, you should be careful with the following issues:

The smaller scope does not mean better efficiency

A narrow scope will not be able to protect your data and cannot appropriately satisfy the requirements of the clients. Additionally, small scopes will hinder your ability to implement consistency across all your monitoring activities.

Large scopes do not mean better functionality

A scope that is large or has excessive breadth will be overly expensive and time-consuming. Additionally, the size of scopes usually increases because they contain unnecessary bureaucratic policies and processes, making it hard to control your ISMS, especially if your team is small. Moreover, this makes it difficult to keep up with the pace of changes.

Excluding controls: Ideally, if you are excluding any controls, you need to write a Statement Of Applicability (SOA) and include a statement of justification.

Benefits of defining the ISMS scope

A well-defined scope statement like ISO 9001 Scope can make or break the implementation of the ISMS. By appropriately defining your ISMS scope, you align your management system with the expectations of your relevant stakeholders and the strategic direction of your organisation. 

Ideally, your scope system should establish the security policy, include the activities that directly manage your client’s data, and exclude the physical locations that do not create risks to confidential information.

A well-formulated scope statement will hasten your certification process, help you achieve compliance better, allow you to create customised security policies that actually serve you, maintain the integrity of your data, increase stakeholder confidence and represent your organisation well in front of security experts.

Define the ISO 27001 scope with consultant help

ISO 27001 scope statement helps to define the applicability and boundaries of your ISMS. Ideally, it should establish a security system, including the activities that directly support your data, and exclude the departments that do not create a risk to confidential information. The scope statement should include the internal and external issues that could alter the performance of the ISMS, and the expectations of relevant interested parties.