Determining The Scope Of The ISMS For ISO 27001 Requirement 4.3

What does ISO 27001 Section 4.3 involve?

Section 4.3 of the standard involves setting the scope of your Information Security Management System. This is a crucial process as it will tell stakeholders, including customers, auditors and staff, what areas of your business are covered by your ISMS.

Whilst your UKAS accredited ISO 27001 certification offers tremendous assurance to customers, it is nothing without also checking that what they expect to be covered within it is detailed in the Scope of the ISMS.

Likewise, an auditor will expect to see that your Scope is aligned to your Information Security Policy and business objectives.

What might be ‘out-of-scope’

Consider products, locations, people, processes, etc.  Think about what you can and can’t control or influence.  

What parts of the business need to access and use or process the information you need to secure (the information boundaries, dependencies)? These would almost certainly need to be in scope if the pressures were driven externally by clients. For example, you might focus on your software platform but would still have to look at the people, processes etc around it too.


Factors to consider when excluding areas from your ISO 27001 Scope

Can you elegantly and easily describe what is in scope and out of scope to interested parties such as auditors, customers etc when needed?

  1. If you did leave parts out of scope, what would the impact be for staff? Would some of their work be in scope and some out of scope?  If so are there additional risks and complications where they might confuse practices (say), not protect work, and cause more threat from following two different approaches?
  2. Are there opportunities to describe things differently e.g. treat some satellite offices as tele/remote workers, not as physical premises or locations in scope?
  3. Simplifying or constraining scope early could make sense if you can effectively segment the information boundaries and demonstrate the risks are being addressed.  However, if you have a goal of adding in something later then keep in mind that a material change in scope might trigger a need for another audit, depending on what, when, how and whether driven by internal goals or external pressures.


How to manage the requirements of Sect. 4.3 includes a template policy 4.3 ready to insert your organisation’s scope. Taken alongside the ISMS software solution, you can also subscribe to our ISO 27001 Virtual Coach package which gives expert guidance, where and when you need it most, on how to establish the scope and meet the other ISO 27001 requirements and Annex A controls.

Furthermore, our software features add automation to the creation, approval and review of all your policies, ensuring you never miss any required actions to maintain your ISO 27001 certification in future.


Discover how you can save time & reduce management resource using to achieve & maintain your ISO 27001 ISMS

The ISO 27001 Annex A Controls are listed below:

Need a set of ISO 27001 policies for your ISMS? includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001


Discover how you can save time & reduce management resource using to achieve & maintain your ISO 27001 ISMS

ISMS Online Rating: 5 out of 5
Share This