Your-ultimate-guide-to-ISO-27001-Certification-Background

Navigating ISO 27001

ISO 27001 Clause 4.3: Determining the scope of the ISMS

ISO 27001 made easy: A comprehensive guide to understanding the standard 

Get your free guide

 

Get your free guide

ISO 27001 is an international standard that specifies requirements for an information security management system (ISMS). An ISMS is a set of policies and procedures that are designed to protect an organisation's information assets.

 

What is ISO 27001:2022 Clause 4.3?

Clause 4.3 of the ISO 27001 standard is titled "Determination of the Scope of the ISMS". It requires organisations to define the scope of their Information Security Management System (ISMS). The scope of the ISMS defines which information assets and activities are covered by the system.

The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.

When determining this scope, the organisation shall consider:

  • The external and internal issues referred to in ISO 27001:2022 Clause 4.1 Understanding the Organisation and Its Context

  • The requirements referred to in ISO 27001:2022 Clause 4.2 Understanding the Needs and Expectations of Interested Parties

  • Interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.

The ISMS scope should be determined based on the following factors:

  • The organisation's risk appetite: The organisation's risk appetite is the amount of risk that the organisation is willing to accept. The scope of the ISMS should be aligned with it.

  • The organisation's business needs: The scope of the ISMS should cover the information assets and activities that are critical to the organisation's business.

  • The organisation's legal and regulatory requirements: The scope of the ISMS should include the information assets and activities that are subject to legal and regulatory requirements.

Once the scope of the ISMS has been determined, it should be documented in the following locations:

  • Your statement of applicability (SoA). The SoA should be kept up-to-date as the organisation changes. This explains what specific controls you are looking to implement as per the scope – document is an ever-changing document that evolves in the creation of the ISMS.

  • A scope policy that goes into specific detail as to what will be included in the scope from a business perspective, this includes the following areas:
     
    • Activities
    • Products
    • Services
    • Interfaces
    • Boundaries (both digital and physical)

  • In addition to this, you will also want to state if there are any exclusions which can be stated in both the SoA and the scope policy. 
Why_isms_important

External Content: YouTube Video 

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis. 

You can find more information about the handling of your personal data in our privacy policy.

Why is it important to determine the scope of your ISMS?

Defining the scope of your Information Security Management System (ISMS) is of paramount importance, as it establishes the extent to which the standard applies.

Not all information assets and activities are covered by this standard. By defining your ISMS scope, you ensure that the system is only implemented for the information assets and activities that are important to your organisation.

Furthermore, the scope should be aligned with your organisation's risk appetite, also known as your risk tolerance. This reflects the level of risk that your organisation is comfortable with.

By aligning your ISMS scope with your risk appetite, you guarantee that the system effectively manages the risks associated with your valuable information assets.

Get ISO 27001 certified in as little as 3 months.

Your ISO 27001 certification process made simple.


Download your free guide to fast & sustainable certification

Download your free guide
DG Seal ISO 27001

How to set up the ISMS scope

Here are the key steps involved in crafting an effective ISMS scope to meet ISO 27001:

Lay the groundwork. Before you can start mapping out your scope, make sure you have done the work for Clause 4.1 and Clause 4.2, 4.3 requires quite a bit of decision-making from top management, so make sure they are heavily involved from the start.

Map the scope. Once you understand your risk appetite and tolerance, you can start to map out the scope of your ISMS. This means identifying the information assets and activities that you need to protect.

Consider your stakeholders. Your stakeholders are the people who have a high interest in your organisation's information security. These stakeholders may include customers, employees, partners, and regulators. You need to consider their needs and expectations when mapping out your scope – this ties into the list of interested parties as per Clause 4.2.

Focus on the essentials. Not all information assets and activities are created equal. Some are more important than others. When mapping out your scope, focus on the essential assets and activities that need to be protected.

Be realistic. It's important to be realistic when mapping out your scope. You need to be able to implement and maintain the controls that you put in place.

Review and update regularly. Your organisation's information security landscape is constantly changing. As a result, you need to review and update your ISMS scope regularly.

 

Some of the things to keep in mind when defining the scope of your ISMS:

The scope should be:

  • Comprehensive enough to cover all of your organisation's important information assets and activities.

  • Specific enough to avoid ambiguity.

  • Flexible enough to allow for changes to your organisation's business 

Get ready for the ISO 27001:2022 audit with up to 75% less workload.


100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001

3 tips for determining the scope of your ISMS

  • Involve key stakeholders in the process. The scope of your ISMS should be aligned with the needs of your organisation. By involving key stakeholders in the process, you can ensure that the scope is appropriate for your organisation.

  • Consider your organisation's risk appetite. As mentioned earlier, the scope of your ISMS should be aligned with your organization's risk appetite. This means considering the amount of risk that your organisation is willing to accept.

  • Be flexible. The scope of your ISMS may need to change over time. As your organisation changes, you may need to adjust the scope of your ISMS to ensure that it is still effective. 
Customer-Voice-OPASCA-Video

External Content: YouTube Video 

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis. 

You can find more information about the handling of your personal data in our privacy policy.

The benefits of defining the scope of your ISMS:

  • It ensures that the ISMS is effective in protecting your organisation's information assets.

  • It helps to identify the information assets and activities that are most important to your organisation.

  • It helps to prioritise the resources that are needed to protect your organisation's information assets.

  • It helps to communicate to stakeholders what is included in the ISMS.

Conclusion

Determining the scope of your ISO 27001 ISMS is an important and mandatory step in implementing the standard. By following the steps outlined above, you can ensure that the scope of your ISMS is appropriate for your organisation.


Save Money with ISO 27001

up to 50%

Cheaper than external consultants

Opt-in

up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate

100%

First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us


Get in touch

P I C

p

PRIVACY

External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts

i

INFOSEC

Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit

c

COMPLIANCE

Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.