Build or upgrade your ISMS on our platform

Determining The Scope Of The ISMS – ISO 27001 Requirement 4.3

What is ISO 27001 Clause 4.3?

Clause 4.3 of the ISO 27001 standard involves setting the scope of your Information Security Management System. This is a crucial part of the ISMS as it will tell stakeholders, including senior management, customers, auditors and staff, what areas of your business are covered by your ISMS.   You should be able to quickly and simply describe or show your scope to an auditor and ideally a lay person as your new staff will need to know too. The external auditor for the ISMS (assuming you are going for independent certification) will probably also want to see the Statement of Applicability detail at the same time as the scope.

How to Set the Scope of the ISMS to meet ISO 27001?

The in-scope activity will be much more logical to consider once you have completed the work for 4.1 and 4.2. You’ll probably consider the organisation, subsidiaries, divisions, departments, products, services, physical locations, mobile workers, geographies, systems and processes for your scope as the information assurance and risk assessment work will be following those parts of your organisation that need to be protected  Remember to also think about what the powerful stakeholder interested parties will expect too. If you did look at leaving any part of the organisation out of scope, what would the impact be for those powerful interested parties? Would you also have to run multiple systems and end up confusing staff about what was in and out of scope in the way they worked?

What parts of the business need to create, access or process the information assets you see as valuable? These would almost certainly need to be in scope if the pressures were driven externally by customers for satisfying their information assurance needs. For example, you might focus on your product development and delivery but would still have to look at the people, processes etc around it too.  Also think about what you can and can’t control or influence.

It could be minutes of effort to get this work done or might take considerably longer in a larger enterprise where it can be politically and practically challenging to determine a controllable scope. ISO certification bodies like UKAS are pushing more towards ‘whole organisation’ scope too and powerful customers will generally expect that as well.

We’ll give you a 77% head start on your ISO 27001 certification

How to Document ‘out-of-scope’ for an ISMS to meet ISO 27001?

You should also carefully note the ‘out of scope’ areas for the ISMS too, wrapped up alongside the key interfaces and dependencies between activities performed by the organisation and those that are performed by other organisations.  At a simplistic level, let’s imagine you are a software developer and rely on outsourcing of the datacentre for hosting of the service to customers.  You’d probably clarify that the scope for your 4.3 is that within your organisation for the people and the software itself, but would put the boundaries and activities of the datacentre out of your controlled scope – after all you would expect them to also maintain their own trusted ISMS.  It is the same for physical property – if there is a reliance on a landlord for certain work (e.g. loading, barriers and reception control) that might form a boundary where the physical location security itself is out of scope for your control and you’d work your ISMS activity within that property.  You would however still be expected to manage the supplier as part of your supplier policies in Annex A 15 and ensure their practices at least met the requirements for your ISMS and risk appetite but that’s for another time.

  1. Building on the point above, if you did leave parts out of scope, what would the impact be for staff? Would some of their work be in scope and some out of scope? If so are there additional risks and complications where they might confuse practices (say), not protect work, and cause more threat from following two different approaches?
  2. Are there opportunities to describe things differently e.g. treat some satellite offices as tele/remote workers, not as physical premises or locations in scope?
  3. Simplifying or constraining scope early could make sense if you can effectively segment the information boundaries and demonstrate the risks are being addressed.  However, if you have a goal of adding in something later then keep in mind that a material change in scope might trigger a need for another audit, depending on what, when, how and whether driven by internal goals or external pressures.

How to easily demonstrate 4.3: Scope to auditors

The platform makes it easy for you to evaluate all aspects/scope of your management system.

Step 1 : Explore your scope

By doing the following, you will be able to define the boundaries of your management systems.

  • The internal and external issues facing you (Clause 4.1) 
  • The requirements from Interested Parties (Clause 4.2)
  • The interfaces and dependencies between the activities performed by your organisation and other organisations

Step 1 : Explore your scope

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 2 : Demonstrate to your auditors

Step 3 : Adopt, adapt and add

Our pre-configured ISMS content makes it straightforward to evidence requirement 4.3 within our platform and can easily be adapted to your organisation’s needs. AAA framework works out of the box, providing you with a ready-made foundation for ISO 27001 compliance or certification by giving you a 77% head start.
Step 3 : Adopt, adapt and add

Step 4 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. Requirement 4.3 is part of the first section that ARM will guide you on, which will help you to understand your organisation in relation to information security. This will then help you to determine which assets, systems, people, locations etc. fall within the scope of your Management system. This will enable you to think about the risks that affect them.
Step 4 : A time-saving path to certification

Step 5 : Extra support whenever you need it

Step 5 : Extra support whenever you need it
If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.