Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001 Scope – What is it and How to Define it Correctly (and usefully)

 

If you’ve decided to go for certification to the ISO27001 standard, then one of the first topics of conversation with your chosen auditing body will be about the “scope” of your information security management system (ISMS). This can make a big difference to how long your audits take and therefore how much they cost. But what is meant by scope, and how should you define it?

ISO27001 Scope

What is the scope of an ISMS?

Clause 4.3 of the standard requires an organization to “determine the boundaries and applicability of the information security management system to establish its scope.”. What this basically means is how big is your ISMS and what does it cover? The initial assumption is often that the ISMS has to cover everything the organization does, but this is far from the case. In fact, your scope is one of the best tools you have in your ISO27001 kitbag to control how long your project takes, how much it costs, and how much benefit it delivers.

How is the scope defined?

There are a number of ways in which the ISMS scope can be described, and the most common ones are in terms of:

  • Locations – it could be just the UK, or perhaps the Rome office but not the San Diego one
  • Services or products – maybe the outsourcing/hosting service is included but not the software development service
  • Organizational units – the scope covers one division or group company but not others, or it’s just the IT, Finance and HR departments for example

But you can also use any combination of the above, such as “the IT team that supports the hosting service in the UK”. Your scope will appear on your certificate once you have been certified and must also be documented within your ISMS, often in a manual or scope document. In ISO27001, the other aspect relevant to scope is the selection of controls from Annex A which will be set out in your Statement of Applicability (another required document). Your certificate will usually also show the latest version of this document.

How should I choose my ISO27001 scope?

A good question. This depends on what you’re trying to achieve. Organizations tend to go for certification to ISO27001 for a number of reasons, including:

  • To improve or recognise their information security posture and reduce risk
  • To show to their customers (and potential customers) that they take security seriously
  • To demonstrate compliance and avoid big fines
  • To save time when answering tender documentation as part of bids
  • Because they are required to by a regulator

So the best scope to define can depend on the reasons for wanting certification. For example, if the main reason is a marketing one, in that all of your competitors for a particular service have it, then it may make sense to limit your scope to that specific service. Or again, if only part of your organization is regulated and the regulator requires ISO27001, then setting the scope to just cover the needed parts may be appropriate.

If your organization is small, it usually makes sense to place everything it does within the scope because often it can be more difficult to manage a limitation to the scope than to simply cover everything. It is perfectly acceptable to start with a smaller scope for certification and then widen it out year by year as the ISMS matures and everyone becomes more familiar with what’s involved. In fact, if you need to achieve certification within a short timescale this may well be the best route. You must ensure however that your exclusions make sense and can be justified to the auditor.

Let’s look at an example from the Real World

As an example of an actual scope statement, let’s look at Amazon Web Services (AWS), whose certificate is available online.

AWS has been certified to ISO/IEC 27001:2013 with EY CertifyPoint since 2010. The scope statement defines where the ISMS is managed from (Seattle, Washington) and then goes on to provide a hyperlink to a list of services within scope that is maintained on the AWS website. If you’ve ever used AWS, you’ll know that they have a lot of services. The scope also includes a comprehensive list of locations which covers their major datacentres and their edge locations around the world. Interestingly, the Statement of Applicability is not mentioned by name on the AWS certificate; it’s possible the “IIMS Manual” fulfils this function.

Let’s be clear; this is a rather extreme example as AWS is a massive organization and your scope statement is likely to be much shorter. But it serves to illustrate some of the points.

So when should you start to think about scope?

You can see from the above discussion that the scope of your ISMS is absolutely fundamental, and you need to be reaching firm decisions on it as early as possible. Your scope will determine who needs to be involved in the project to put the ISMS in place and your project plan will look very different according to where you draw the line.

Depending on the structure of the organization and what it does, you may need to spend some time understanding how different components relate to each other in order to avoid introducing arbitrary dividing lines within your ISMS. One point worth making is that the scope of your ISMS doesn’t necessarily have to be the same as the scope of your certification. One option is to create a wider ISMS and then apply for certification of just a part of it initially; this could get the key services certified quicker (maybe for marketing reasons) whilst improving security within the organization generally for example.

In summary

The ISO27001 scope is very important and needs to be carefully considered right at the start of your ISMS implementation. Be clear about why you’re going for certification and take this into account when defining where the boundaries are, and make sure those boundaries can be clearly delineated. In a smaller organization, including everything is usually the best option to keep it simple.

 

Written by Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 


More ISO27001 resources...

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

The sample documents are very rich in their scope. Our attorneys have reviewed our edits and can find no fault with what is presented.

Institute for Supply Management
USA

View all Testimonials