Defining your ISO 27001 scope statement is one of the first steps for building your ISMS. Although it is just a short separate document or small paragraph in your security policy it is one of the most important point. This is because every next step is related to your scope or area of application. In this article you can find out why the definition of your scope is so important, how to write your statement, what it does have to include and why it can affect your ISO 27001 certification audit. I also try to give you some examples you could use as a template for your ISMS.
What is the ISO 27001 scope?
The scope statement is defined in the ISO/IEC 27001:2013 under section 4 and especially in the sub-section 4.3. It shortly describes the purpose or context of your organization and what processes are relevant to run your business. In other words, it defines the boundaries, subject and objectives of your ISMS. The goal is to let you think about and understand what:
- business processes are important to operate your organization
- laws and regulations, you have to comply with
- parties (internal and external) are interested and relevant for your ISMS or information security
- dependencies do you have with other norms
The determination of the context relies to the risk management standard ISO 31000.
Why is defining the ISO 27001 Scope important?
As already mentioned above, the scope statement sets the boundaries of your information security management system. It explains what parts, processes or departments of your organization are covered by your ISMS. For example, this could be your whole organization, a subsidiary, a business location, a business line, headquarter, etc.
The definition of your ISMS scope directly impacts the workload in relation of your covered assets, risk management and business processes. It has no impact on the controls describes in the Annex A or ISO 27002. The controls are assessed separately in your “Statement of Applicability”.
Another important aspect is that your scope should cover all business sections that are falling under specific security laws or regulations. If you set your scope for your ISMS correctly, you are able to demonstrate the implementation of your information security strategy. The right definition could also help you negotiate contracts or getting a better rating from your bank, etc.
How to define your scope?
Before defining the scope, you should think about and answer yourself the questions below. Often companies try to cheat here by defining their scope to narrow just for the sake of getting the certificate. In the past that was maybe possible. But nowadays the requirements for security are higher. Also, in the past ISO 27001 had a bad reputation because it seemed that the award of the certificate was too “lax”. From my experience this is taken into account in an audit nowadays and auditors tend not to accept a too small scope. Often a small scope makes no sense in case of workload, too. If necessary processes are not covered in your scope but are required for your ISO 27001 certification (e.g. HR or procurement processes) you have to treat them like external supporting processes or external services. That often forces you to rethink, adjust and redo your risk analysis,
Questions you should ask yourself:
What are your security goals and risks?
You should ask yourself, why do you want to get certified for ISO 27001, what problems do you want to solve and how can a security framework support you. The goals could be to comply with regulations, competitive advantages, preparing for increasing security threats, understand your security risks, etc. I also often find the goal that big, highly regulated companies want to reduce the workload for other audits by having synergy effects.
Does your organization have any other ISO certificates?
For example, are you certified for ISO 9001 already? If yes, you should think about aligning the ISO 27001 scope to this certification.
What are the organizations core processes?
In other words, how does your company make money? Your ISMS should always cover your core processes, to identify and reduce the risk and to be able to protect against and repsond to security threats.
What are your supporting processes?
Besides the core processes, what other procedures do you need to run your business? This could be your HR, procurement, development or IT processes.
What do you have to document and where?
Although it seems you have a lot to consider for writing your scope statement the general implementation is really easy and straightforward.
First it is always best practice to document your decision-making process. Because everything what you do according to information security is aligned to your scope, it should be clear why you have chosen this scope statement.
To show an auditor what leads to the ISO 27001 scope I always prepare a document that describes the implementation of the ISMS. This document includes the points mentioned in the first section above.
Here is my document structure:
1. Context of the Organization
Here you should describe in what industry your organization is, what it is doing and why is information security important for the business.
1.1 Standards and approaches for Information Security
Here I like to show what security approaches, standards and best practices are relevant for the organization and especially why ISO 27001 was chosen.
1.2 Relevant laws and regulations
Here you should list all laws and regulations that are relevant for information security according to your business. I normally split this section and write a separate document or procedure for this topic that also includes all the contractual requirements.
Here you should just list the most relevant laws and regulations and describe that you are willing to fulfill those requirements.
1.3 Interested internal and external parties
In this chapter you roughly list relevant internal and external parties that are relevant for or have interfaces with information security and or data and information that need to be protected.
External parties depend on in what industry you are in. When your organization is in the public sector for example an external party could be the government or other authorities. If you are in the banking sector your Central Bank could be an important external party.
And of course, you should always have your suppliers and customers in focus.
Internal parties are nearly all departments in your organization that are dealing with information (digital or written on paper).
But you could also mention your Business Owners, Managing Directors, Works Council, etc.
1.4 Scope of the ISMS
Now that you are able to understand and describe the context of your organization you are able to write down the actual scope statement. This is normally done with a few sentences. You can find examples below.
Here are some more points you could consider to define your ISO 27001 scope:
- Think about the business model of your organization and what processes are critical
- What are the business goals of your organization
- Are there other business locations, especially abroad
- Identify relevant and important Stakeholders and Key Players (external and internal)
- Ask your Stakeholders for expectations about Information Security, IT Security or just what they want to protect
As CISO it is always beneficial to form alliances with key players in your organization. This is the perfect time for that.
Examples on how to write your scope
Here you can find a few examples on how you can write your scope statement. Feel free to use it as a template.
“We are a domestic bank with a focus on retail banking. The storage and processing of sensitive customer data is part of our core business. It is therefore our duty to protect our clients data and our information assets in relation to confidentiality, integrity and availability. This policy applies to the entire organization, our employees as well as contractors.”
This statement shows that the main security focus of the bank is their customer data. It is also clearly stated that the scope applies to the whole organization.
“As a leading company in the development, production and sales in our products, we are highly dependent on the protection of our development and research data and the availability of our IT systems and processes. That is why information security is very important for our research area, our production facilities and our sales organization. This policy and our ISMS adresses theses requirements.”
This text leaves a little bit more room for interpretation. But it is obvious that the scope includes the three mentioned bussines units.
“As an energy supplier and operator of critical infrastructures we have to comply with national standards, laws and regulations. The growing security threats require the establishment and implementation of a strong information security management and governance system. To take this into account, the implementation and compliance with our security policies, guidelines and procedures is of great importance.”
Here the focus lies in the compliance with regulations and laws. The ISMS should be built around the protection of the infrastructure and the compliance with laws and shows its implementation.
At the beginning it seems very confusing to define your ISO 27001 scope statement but in the end, it is very logical and straightforward. Normally most of the organizations or companies getting it instinctively right by aligning their scope to their core business lines. Defining a too small or narrow scope does not reduce your workload and could cause more harm than good. You just have to shortly describe why security is important for your business, what assets, data or information you try to protect and why are these essential for your organization.