Determining The Scope Of The ISMS For ISO 27001 Requirement 4.3
What does ISO 27001 Section 4.3 involve?
Section 4.3 of the standard involves setting the scope of your Information Security Management System. This is a crucial process as it will tell stakeholders, including customers, auditors and staff, what areas of your business are covered by your ISMS.
Likewise, an auditor will expect to see that your Scope is aligned to your Information Security Policy and business objectives.
What might be ‘out-of-scope’
Consider products, locations, people, processes, etc. Think about what you can and can’t control or influence.
What parts of the business need to access and use or process the information you need to secure (the information boundaries, dependencies)? These would almost certainly need to be in scope if the pressures were driven externally by clients. For example, you might focus on your software platform but would still have to look at the people, processes etc around it too.
Factors to consider when excluding areas from your ISO 27001 Scope
Can you elegantly and easily describe what is in scope and out of scope to interested parties such as auditors, customers etc when needed?
- If you did leave parts out of scope, what would the impact be for staff? Would some of their work be in scope and some out of scope? If so are there additional risks and complications where they might confuse practices (say), not protect work, and cause more threat from following two different approaches?
- Are there opportunities to describe things differently e.g. treat some satellite offices as tele/remote workers, not as physical premises or locations in scope?
- Simplifying or constraining scope early could make sense if you can effectively segment the information boundaries and demonstrate the risks are being addressed. However, if you have a goal of adding in something later then keep in mind that a material change in scope might trigger a need for another audit, depending on what, when, how and whether driven by internal goals or external pressures.
How to manage the requirements of Sect. 4.3
ISMS.online includes a template policy 4.3 ready to insert your organisation’s scope. Taken alongside the ISMS software solution, you can also subscribe to our ISO 27001 Virtual Coach package which gives expert guidance, where and when you need it most, on how to establish the scope and meet the other ISO 27001 requirements and Annex A controls.
Furthermore, our software features add automation to the creation, approval and review of all your policies, ensuring you never miss any required actions to maintain your ISO 27001 certification in future.
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001