ISO 27001 Information Security - Clause 4.3 The scope of the ISMS

Clause 4.3 Scope

28 April 2022 - ISO 27001 Information Security in plain English - Blog post #3. Clause 4.3 Scope.

An essential step when planning an ISMS or indeed, any management system is to establish its scope or boundaries. What elements of the organization are included and what are excluded? That's the subject of clause 4.3 in ISO 27001, and this article discusses how to determine that scope.

ISO 27001 Information Security in plain English

Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard.  However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.

Determine the scope of the Information Security Management System

Determining the scope of your ISMS means considering where it applies and any boundaries to it. In doing so, you need to consider the context in which your organization operates, and relevant requirements of interested parties (as described above), and also your products and services.

ISO 27001 has a mandatory requirement to document a statement of scope, and to make it available. Although the standard doesn't make it clear who it should be available to, it doesn't normally reveal any particularly sensitive information. It may, therefore, be made widely available.

The scope statement can be quite simple in many cases. It can be a little more complex where the business has diverse operations across multiple locations and only some of those are covered by the system. It is, of course, critical that the statement accurately reflects any limitations to the coverage of the ISMS. Any organization seeking to be certified will need to provide a scope statement to the certification body. That will enable them to plan the audit and correctly quantify the number of audit hours required.

A scope statement may be produced as a standalone document or may be incorporated into a compiled document (such as the ISMS Overview in Qudos ISO 27001 InfoSec Toolkit). There is no set format for a scope statement but we do suggest keeping it brief and to the point. The following is an example of a typical structure for a scope statement:

The information security management system for (organization) covers the information security controls for the provision of (services) from (location). This system is in accordance with statement of applicability version (version number), dated (date).

The next blog in this series is on clause 4.4 Information Security Management System.

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notifications.

There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.


Ready to start your journey to ISO 27001?

Qudos 3 IMS software includes a more in-depth version of this post, templates for your interested parties' table with numerous examples, facilities to securely manage documents created, and tools to schedule and record reviews - with automated assignment and tracking of actions.

The first step to commencing a management system based on ISO 27001 is to conduct a gap analysis. We can provide a qualified, experience certification auditor to perform a Gap Analysis service for you.

Contact us today to discuss your needs!

Photo by Simon Maage on Unsplash