If you’ve decided to go for certification to the ISO27001 standard, then one of the first topics of conversation with your chosen auditing body will be about the “scope” of your information security management system (ISMS). This can make a big difference to how long your audits take and therefore how much they cost. But what is meant by scope, and how should you define it?
Clause 4.3 of the standard requires an organization to “determine the boundaries and applicability of the information security management system to establish its scope.”. What this basically means is how big is your ISMS and what does it cover? The initial assumption is often that the ISMS has to cover everything the organization does, but this is far from the case. In fact, your scope is one of the best tools you have in your ISO27001 kitbag to control how long your project takes, how much it costs, and how much benefit it delivers.
There are a number of ways in which the ISMS scope can be described, and the most common ones are in terms of:
But you can also use any combination of the above, such as “the IT team that supports the hosting service in the UK”. Your scope will appear on your certificate once you have been certified and must also be documented within your ISMS, often in a manual or scope document. In ISO27001, the other aspect relevant to scope is the selection of controls from Annex A which will be set out in your Statement of Applicability (another required document). Your certificate will usually also show the latest version of this document.
A good question. This depends on what you’re trying to achieve. Organizations tend to go for certification to ISO27001 for a number of reasons, including:
So the best scope to define can depend on the reasons for wanting certification. For example, if the main reason is a marketing one, in that all of your competitors for a particular service have it, then it may make sense to limit your scope to that specific service. Or again, if only part of your organization is regulated and the regulator requires ISO27001, then setting the scope to just cover the needed parts may be appropriate.
If your organization is small, it usually makes sense to place everything it does within the scope because often it can be more difficult to manage a limitation to the scope than to simply cover everything. It is perfectly acceptable to start with a smaller scope for certification and then widen it out year by year as the ISMS matures and everyone becomes more familiar with what’s involved. In fact, if you need to achieve certification within a short timescale this may well be the best route. You must ensure however that your exclusions make sense and can be justified to the auditor.
As an example of an actual scope statement, let’s look at Amazon Web Services (AWS), whose certificate is available online.
AWS has been certified to ISO/IEC 27001:2013 with EY CertifyPoint since 2010. The scope statement defines where the ISMS is managed from (Seattle, Washington) and then goes on to provide a hyperlink to a list of services within scope that is maintained on the AWS website. If you’ve ever used AWS, you’ll know that they have a lot of services. The scope also includes a comprehensive list of locations which covers their major datacentres and their edge locations around the world. Interestingly, the Statement of Applicability is not mentioned by name on the AWS certificate; it’s possible the “IIMS Manual” fulfils this function.
Let’s be clear; this is a rather extreme example as AWS is a massive organization and your scope statement is likely to be much shorter. But it serves to illustrate some of the points.
You can see from the above discussion that the scope of your ISMS is absolutely fundamental, and you need to be reaching firm decisions on it as early as possible. Your scope will determine who needs to be involved in the project to put the ISMS in place and your project plan will look very different according to where you draw the line.
Depending on the structure of the organization and what it does, you may need to spend some time understanding how different components relate to each other in order to avoid introducing arbitrary dividing lines within your ISMS. One point worth making is that the scope of your ISMS doesn’t necessarily have to be the same as the scope of your certification. One option is to create a wider ISMS and then apply for certification of just a part of it initially; this could get the key services certified quicker (maybe for marketing reasons) whilst improving security within the organization generally for example.
The ISO27001 scope is very important and needs to be carefully considered right at the start of your ISMS implementation. Be clear about why you’re going for certification and take this into account when defining where the boundaries are, and make sure those boundaries can be clearly delineated. In a smaller organization, including everything is usually the best option to keep it simple.
Written by Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.