Defining your ISO 27001 scope statement is one of the first steps for building your ISMS. Although it is just a short separate document or small paragraph in your security policy it is one of the most important point. This is because every next step is related to your scope or area of application. In this article you can find out why the definition of your scope is so important, how to write your statement, what it does have to include and why it can affect your ISO 27001 certification audit. I also try to give you some examples you could use as a template for your ISMS.
What is the ISO 27001 scope?
The scope statement is defined in the ISO/IEC 27001:2013 under section 4 and especially in the sub-section 4.3. It shortly describes the purpose or context of your organization and what processes are relevant to run your business. In other words, it defines the boundaries, subject and objectives of your ISMS. The goal is to let you think about and understand what:
- business processes are important to operate your organization
- laws and regulations, you have to comply with
- parties (internal and external) are interested and relevant for your ISMS or information security
- dependencies do you have with other norms
The determination of the context relies to the risk management standard ISO 31000.
Why is defining the ISO 27001 Scope important?
As already mentioned above, the scope statement sets the boundaries of your information security management system. It explains what parts, processes or departments of your organization are covered by your ISMS. For example, this could be your whole organization, a subsidiary, a business location, a business line, headquarter, etc.
The definition of your ISMS scope directly impacts the workload in relation of your covered assets, risk management and business processes. It has no impact on the controls describes in the Annex A or ISO 27002. The controls are assessed separately in your “Statement of Applicability”.
Another important aspect is that your scope should cover all business sections that are falling under specific security laws or regulations. If you set your scope for your ISMS correctly, you are able to demonstrate the implementation of your information security strategy. The right definition could also help you negotiate contracts or getting a better rating from your bank, etc.
How to define your scope?
Before defining the scope, you should think about and answer yourself the questions below. Often companies try to cheat here by defining their scope to narrow just for the sake of getting the certificate. In the past that was maybe possible. But nowadays the requirements for security are higher. Also, in the past ISO 27001 had a bad reputation because it seemed that the award of the certificate was too “lax”. From my experience this is taken into account in an audit nowadays and auditors tend not to accept a too small scope. Often a small scope makes no sense in case of workload, too. If necessary processes are not covered in your scope but are required for your ISO 27001 certification (e.g. HR or procurement processes) you have to treat them like external supporting processes or external services. That often forces you to rethink, ajust and redo your risk analysis,
Questions you should ask yourself:
What are your security goals and risks?
You should ask yourself, why do you want to get certified for ISO 27001, what problems do you want to solve and how can a security framework support you. The goals could be to comply with regulations, competitive advantages, preparing for increasing security threats, understand your security risks, etc. I also often find the goal that big, highly regulated companies want to reduce the workload for other audits by having synergy effects.
Does your organization have any other ISO certificates?
For example, are you certified for ISO 9001 already? If yes, you should think about aligning the ISO 27001 scope to this certification.
What are the organizations core processes?
In other words, how does your company make money? Your ISMS should always cover your core processes, to identify and reduce the risk and to be able to protect against and repsond to security threats.
What are your supporting processes?
Besides the core processes, what other procedures do you need to run your business? This could be your HR, procurement, development or IT processes.
What do you have to document and where?
Although it seems you have a lot to consider for writing your scope statement the general implementation is really easy and straightforward. Normally it is included in your “Information Security Policy” and is just a small section that contains a few sentences (you can find a few examples below). It explains what business your company is in, how you earn your money, what assets are important and how can information security help to protect your assets and organization. You don’t need to get into much detail here. The overview or big pictures of all your security organization comes from the downstream descriptions or documents. These are mainly the commitment of your senior management, the description of your roles and responsibilities, your security goals or your risk management procedures.
Examples on how to write your scope
Here you can find a few examples on how you can write your scope statement. Feel free to use it as a template.
“We are a domestic bank with a focus on retail banking. The storage and processing of sensitive customer data is part of our core business. It is therefore our duty to protect our clients data and our information assets in relation to confidentiality, integrity and availability. This policy applies to the entire organization, our employees as well as contractors.”
This statement shows that the main security focus of the bank is their customer data. It is also clearly stated that the scope applies to the whole organization.
“As a leading company in the development, production and sales in our products, we are highly dependent on the protection of our development and research data and the availability of our IT systems and processes. That is why information security is very important for our research area, our production facilities and our sales organization. This policy and our ISMS adresses theses requirements.”
This text leaves a little bit more room for interpretation. But it is obvious that the scope includes the three mentioned bussines units.
“As an energy supplier and operator of critical infrastructures we have to comply with national standards, laws and regulations. The growing security threats require the establishment and implementation of a strong information security management and governance system. To take this into account, the implementation and compliance with our security policies, guidelines and procedures is of great importance.”
Here the focus lies in the compliance with regulations and laws. The ISMS should be built around the protection of the infrastructure and the compliance with laws and shows its implementation.
At the beginning it seems very confusing to define your ISO 27001 scope statement but in the end, it is very logical and straightforward. Normally most of the organizations or companies getting it instinctively right by aligning their scope to their core business lines. Defining a too small or narrow scope does not reduce your workload and could cause more harm than good. You just have to shortly describe why security is important for your business, what assets, data or information you try to protect and why are these essential for your organization.