How to write an ISO 27001 scope statement

Understanding and explaining how to write an effective ISO 27001 scope statement

In this article we’ll discuss what a scope statement is, why you need one and how to determine one for your organisation. We will also take a look at some key requirements, benefits, drawbacks as well as some example scope statements.

Reading time: 7 minutes

How to determine the scope

Defining your scope statement for ISO 27001 is one of the first steps to building your Information Security Management System (ISMS). Despite the scope being short, it is one of the most critical stages to reaching ISO 27001 certification. In addition, the scope defines the rest of your journey to certification as every following step to compliance relates to your scope or designated application area.

The standard describes the scope statement as detailing the purpose or context of your organisation and what processes are relevant to maintaining your business; it defines the subject, boundaries, and objectives of your eventual ISMS. In writing your scope statement, the ISO compels you to understand what business processes are pivotal to your organisation, the laws and regulations you must comply with, and the parties, be it internal or external, that may relate to your ISMS and any dependencies they may entail.

When approaching your scope statement, you should take an inquisitive approach, assume the role of an interrogator, and ask questions about the information you need to protect. Some common questions you should ask yourself are listed and described below.

What are your goals in achieving certification?

Ask yourself why you want to get certified for ISO 27001 and what problems do you want to solve in the process of building an information security management system on the road to compliance.

What are your core organisation processes?

Ask yourself, how does your business operations and how do you generate revenue? Your eventual ISMS will cover these core processes in great detail with identified risks and mitigations for protecting and responding to information security threats.

What are your core organisation processes?

After understanding your core processes ask yourself, what other processes does your organisation maintain to run your business? – Think about employment, development plans, or HR.

Why you need a scope

As mentioned in the previous section, your scope statement is one of the most pivotal stages in your journey to ISO 27001 certification. This is because your scope sets out the boundaries of your ISMS from a birds-eye view. In addition, it discusses which processes or areas of your organisation are covered in the system, clearly making it very important.

Another important aspect of writing your scope is that it covers all aspects of your organisation under specific security laws and regulations. Therefore, you have a tangible way to demonstrate the implementation of your information security strategy concerning all the relevant laws and regulations governing specific processes. This can, in turn, help raise your reputation with partners and customers and improve your organisation’s overall standing with regard to regulators and other government entities.

Defining your ISMS scope directly impacts the future workload in assessing your covered assets, risk management and business processes. Despite this, your ISMS does not affect the controls you will later describe in your Annex A controls, which are later assessed separately in your Statement of Applicability.

Example scope statements

Example of a scope from a document scanning company

In scope

The scope of our ISMS includes all processes, people, customer information (paper-based and/or digital) and systems involved in the provision of the document scanning service, transfer and/or hosting of client digital data, and destruction of paper documents once digitised, as described in the Asset Register, namely:

  • Client paper documents collected, stored and/or destroyed for the purpose of scanning and/or storage;
  • Digital information (client data and our company data) stored on servers located at the company premises;
  • Digital information hosted in Box and managed on behalf of clients;
  • Digital information hosted in SharePoint 365 tenancy controlled by us and managed on behalf of clients;
  • Our own information stored in own SharePoint 365 tenancy;
  • Systems used for transfer of digital information to clients (SharePoint 365, ABC Secure File Transfer App, or other as requested by the client);
  • The physical and environmental security at our premises;
  • All staff and contractors, including off-site workers and homeworkers associated with the information in scope.

Out of scope

The following systems are out of scope:

  • Document management systems sold by us for which we act as a reseller, which are not under our control once installed, configured and/or operational.
  • Cloud systems used for the management of our business which do not contain client information, e.g. Pipedrive, Quickbooks and Trello.

Dependencies

Where we are dependent on 3rd parties for the delivery of our services and/or management of the security controls in place, those 3rd party will be listed in the Asset Register.

Example of a scope from a tech company with a SaaS application

Scope

This includes all systems required to enable the development, hosting and provision of our app.
The Company operates an ISMS in line with ISO 27001.In determining the scope, the Internal and External issues, interested parties and their needs and expectations, and legal and regulatory requirements have been considered.

Scope statement

Development and support of our product suite and all electronic information which is captured via the Collection of Applications, and stored, transferred and produced by us and the users of our Applications.

In scope

The following processes and systems are in scope:

  • Digital information (client data and audit trails generated as a result of our processing of the client data) stored on Microsft Azure servers.
  • Digital information hosted in The App and managed on behalf of clients;
  • The Company’s own information generated as a result of running our business, stored in Microsoft Sharepoint;
  • Systems used for the transfer of digital information to clients;
  • The physical and environmental security of the devices owned by the business;
  • All staff and contractors, including off-site workers and homeworkers associated with the information in scope;
  • The designing of security into systems developed in-house.

Out of scope

The following systems are out of scope:

  • Xero (finance and accounting)

Dependencies

Where the Company is dependent on 3rd parties for the delivery of its services and/or management of the security controls in place, those 3rd party will be listed in the Asset Register.

Who and what to consider when deciding on the scope

As mentioned before, when deciding on your scope you should ask yourself questions about your core and supporting processes and goals of certification. When deliberating the core and supporting processes you may need to single out certain groups and areas of interest to define within your scope. The below list gives pointers to different aspects of your organisation to consider.

Access to information

When considering your scope you should contemplate how access to documents, systems and or areas of your physical locations are managed and delegated. Think whether your employees truly understand their responsibilities and delegated rights, furthermore do your employees have sufficient training to properly use the entities they have access to – in the event there is a security risk for example.

What are your goals in achieving certification?

Ask yourself why you want to get certified for ISO 27001 and what problems do you want to solve in the process of building an information security management system on the road to compliance.

Physical locations

Another factor to consider for your scope is your organisation’s physical locations. Are there areas in your offices that should have explicit security controls to maintain their integrity or are you operating completely in the cloud nullifying the need to include physical security risks in your scope.

Development plans

Before writing your scope you should also think to the future. Is your business growing exponentially year after year requiring constant change and evolution? Or are you perhaps planning in the long-term to upgrade physical locations or processes that may negatively impact your ISO 27001 scope in the future? These factors may not be as important as ISO 27001 certification only lasts 3 years – but it is crucial to not overlook it nonetheless.

Strategies for determining and defining the boundaries of your ISMS

To begin strategizing and determining the boundaries of your eventual ISMS you must consider your objectives in accordance with clause 6.2 whereby your organisation should “establish information security objectives at relevant functions and levels” in a strategic, tactical or operational manner. This thought-process enables you to determine all the interest groups that need to be protected and the impact your decisions on them may have on your customers, partners, suppliers and or shareholders.

Scope for success - potential benefits and pitfalls of narrowing your ISMS scope

Many organisations approaching certification may attempt to lower their costs and time by narrowing the scope they write. This may seem like a good idea as it can cut implementation costs and significantly lower the number of hours spent determining the scope and carrying out the rest of the tasks on the way to ISO 27001 certification. But there is a big issue with narrowing your scope, and that is that by narrowing scope you reduce your ability to interface with the outside world. Typically meaning the relationships with your clients, partners and suppliers are limited by the risk assessments you undergo and identify in your scope. In some cases, this can lead to your narrow scope being simply impossible in the sense of interacting with the outside world due to the unfeasibility of the data protection attempting to be achieved with such a narrow scope.

The requirements of ISO 27001 regarding the scope

When writing your scope document you must also keep in mind the requirements of the document. Auditors are not just looking for generalised answers, they’re looking for you to meet the following requirements:

  • Consider the internal and external issues defined in clause 4.1 and define the context of your organisation in accordance.
  • Consider the requirements defined in clause 4.2 and identify the relevant parties in accordance.
  • Consider any interactions and dependencies between the outside world and within your ISMS.
  • You should also include a short description of your physical location
Elisabeth Belisle

Elisabeth Belisle

Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO 27001 Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.

Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.

Adam Pope

Adam Pope

Adam is a systems administrator for Digital Octopii and the ISO 27001 certification toolkit. Adam handles the information security and consistency of the ISO 27001 toolkit, setting an example for how data and information should be handled under ISO 27001 guidelines.

Use our ISO 27001 Toolkit and get ready for certification in 5 weeks