Menu
Understanding and explaining how to write an effective ISO 27001 scope statement
In this article we’ll discuss what a scope statement is, why you need one and how to determine one for your organisation. We will also take a look at some key requirements, benefits, drawbacks as well as some example scope statements.
In the article we will cover:
Reading time: 7 minutes
Defining your scope statement for ISO 27001 is one of the first steps to building your Information Security Management System (ISMS). Despite the scope being short, it is one of the most critical stages to reaching ISO 27001 certification. In addition, the scope defines the rest of your journey to certification, as every subsequent step to compliance relates to your scope or designated application area.
The standard describes the scope statement as detailing the purpose or context of your organisation and what processes are relevant to maintaining your business. It defines the subject, boundaries, and objectives of your eventual ISMS. In writing your scope statement, the ISO compels you to understand what business processes are pivotal to your organisation, the laws and regulations you must comply with, and the parties, internal or external, that may relate to your ISMS and any dependencies they may entail.
When approaching your scope statement, you should take an inquisitive approach. Assume the role of an interrogator and ask questions about the information you need to protect. Some common questions you should ask yourself are listed and described below.
Ask yourself why you want to get certified for ISO 27001 and what problems do you want to solve in the process of building an information security management system on the road to compliance.
Ask yourself how your business operates and how you generate revenue. Your eventual ISMS will cover these core processes in great detail with identified risks and mitigations for protecting and responding to information security threats.
After understanding your core processes ask yourself, what other processes does your organisation maintain to run your business? – Think about employment, development plans, or HR.
As mentioned in the previous section, your scope statement is one of the most pivotal stages in your journey to ISO 27001 certification. This is because your scope sets out the boundaries of your ISMS from a birds-eye view. In addition, it discusses which processes or areas of your organisation are covered in the system, clearly making it very important.
Another important aspect of writing your scope is that it covers all aspects of your organisation under specific security laws and regulations. Therefore, you have a tangible way to demonstrate the implementation of your information security strategy concerning all the relevant laws and regulations governing specific processes. This can, in turn, help raise your reputation with partners and customers and improve your organisation’s overall standing with regard to regulators and other government entities.
Defining your ISMS scope directly impacts the future workload in assessing your covered assets, risk management and business processes. Despite this, your ISMS does not affect the controls you will later describe in your Annex A controls, which are later assessed separately in your Statement of Applicability.
The scope of our ISMS includes all processes, people, customer information (paper-based and/or digital) and systems involved in the provision of the document scanning service, transfer and/or hosting of client digital data, and destruction of paper documents once digitised, as described in the Asset Register, namely:
The following systems are out of scope:
Where we are dependent on 3rd parties for the delivery of our services and/or management of the security controls in place, those 3rd party will be listed in the Asset Register.
This includes all systems required to enable the development, hosting and provision of our app.
The Company operates an ISMS in line with ISO 27001.In determining the scope, the Internal and External issues, interested parties and their needs and expectations, and legal and regulatory requirements have been considered.
Development and support of our product suite and all electronic information which is captured via the Collection of Applications, and stored, transferred and produced by us and the users of our Applications.
The following processes and systems are in scope:
The following systems are out of scope:
Where the Company is dependent on 3rd parties for the delivery of its services and/or management of the security controls in place, those 3rd parties will be listed in the Asset Register.
As discussed above, when deciding on your scope you should ask yourself questions about your core and supporting processes and goals of certification. When deliberating the core and supporting processes you may need to single out certain groups and areas of interest to define within your scope. The list below gives pointers to different aspects of your organisation to consider.
When considering your scope you should contemplate how access to documents, systems and/or areas of your physical locations are managed and delegated. Consider whether your employees truly understand their responsibilities and delegated rights, and whether your employees have sufficient training to properly use the entities they have access to – in the event there is a security risk for example.
Ask yourself why you want to get certified for ISO 27001 and what problems you want to solve in the process of building an information security management system on the road to compliance.
Another factor to consider for your scope is your organisation’s physical locations. Are there areas in your offices that should have explicit security controls to maintain their integrity or are you operating completely in the cloud nullifying the need to include physical security risks in your scope?
Before writing your scope you should also think to the future. Is your business growing exponentially year after year requiring constant change and evolution? Or are you perhaps planning in the long-term to upgrade physical locations or processes that may negatively impact your ISO 27001 scope in the future? These factors may not be as important as ISO 27001 certification only lasts 3 years – but it is crucial to not overlook them nonetheless.
To begin strategising and determining the boundaries of your eventual ISMS you must consider your objectives in accordance with clause 6.2 whereby your organisation should “establish information security objectives at relevant functions and levels” in a strategic, tactical or operational manner. This thought process enables you to determine all the interested groups that need to be protected and the impact your decisions may have on your customers, partners, suppliers and/or shareholders.
Many organisations approaching certification may attempt to lower their costs and time by narrowing the scope they write. This may seem like a good idea as it can cut implementation costs and significantly lower the number of hours spent determining the scope and carrying out the rest of the tasks on the way to ISO 27001 certification. There is a big issue with narrowing your scope, however, in that by narrowing scope you reduce your ability to interface with the outside world. This typically means that relationships with your clients, partners and suppliers are limited by the risk assessments you undertake. In some cases, a narrow scope will make it simply impossible to interact with the outside world due to its inability to achieve the appropriate level of data protection.
When writing your scope document you must also keep in mind the requirements of the document. Auditors are not just looking for generalised answers, they’re looking for you to meet the following requirements:
Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO 27001 Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.
Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.