Under the heading, Context of the Organisation, clause 4.3 of ISO 27001 requires you to clearly define the boundaries and applicability of your ISMS. You need to decide how far the ISMS extends, what it applies to and, equally, what it doesn’t apply to. Precise knowledge of interfaces and dependencies between your business and other organisations is critical as well.
This is a crucial part of your early ISMS planning as it establishes the foundation for all other activities during the ISMS implementation including the effective identification of relevant risks and the determination of necessary risk-reducing controls. A clearly defined and detailed scope can be effectively communicated to all stakeholders; for example, top management, staff with specific responsibilities, general staff, customers and even auditors! Joking aside, during some audits you will be required to confidently describe your scope to the auditor, and she may not be familiar with your business.
We favour a diagrammatic approach when we document the scope of the ISMS as it lends itself to clearly depicting boundaries, applicability and the interfaces with other organisations.
It’s also important to understand the distinction between the scope of certification (i.e. those locations, teams, products, services and supporting activities which you directly influence and are seeking to certify) and the scope of the ISMS which may include outsourced services (e.g. facilities management, HR, SaaS / PaaS) where you are not seeking to certify the organisations providing these services but you recognise your obligation to manage the delivery of the services and control the associated risks. Hence the importance of clear boundaries!
Ensure that your documented scope is more than just the sentence you hope to have printed on your certificate. It must reflect the important organisational factors (see clause 4.1) and the requirements, dependencies and interfaces with external interested parties; for example, outsourced IT service provider.
Schedule a regular review of your documented scope to ensure that it remains accurate. Any significant changes (physical location, addition of sites, new products or services) should be discussed with your certification body as soon as possible because the implications may need to be reviewed during the next planned visit or a specific visit may need to be organised. Don’t leave it until the next time the auditor visits!
Finally, schedule a session with us and we can provide an ISO 27001 ISMS scope example or discuss your proposed ISO 27001 2013 scope statement.
