Determining the scope of your ISMS for ISO/IEC 27001:2013
What is the scope of the ISMS?
When you implement an Information Security Management System (ISMS), you need to determine, and then document the scope of it. In simple terms, this means you will need to decide and define what information you want to be protected. It is required for ISO 27001 certification as part of Clause 4.3 of the ISO 27001 requirements.
As you undergo this process, building on clause 4.1 issues facing the organisation internally and externally, then clause 4.2 interested parties for the ISMS, a picture of your scope will automatically start to emerge. You may discover that there is more information to protect, more locations, products, processes and services along with people to consider for the scope.
Setting the scope correctly at the start is a good thing for your organisation overall. It means that all of your information is going to be more secure as a result, and you’ll work in a more consistent manner across the organisation for the information security processes too.
Once the scope has been determined, you should be able to quickly and easily demonstrate that scope to your interested parties e.g. an external ISO accredited auditor for ISO 27001. Depending on whether or not you are being internally or externally certified (read more), the auditor of the ISMS will want also want to see the Statement of Applicability (SoA) at the same time as the scope. These are different things.
What are the benefits of defining the scope of the ISMS?
Defining the scope of the ISMS is a valuable exercise for the organisation and the people involved in the process of achieving their ISO 27001 certification. Not least it will allow you to gain much more of an understanding of the environment in which your organisation operates. That then helps uncover the security requirements that you will need to complete, based upon the information security threats, vulnerabilities, security risks and opportunities facing it, both physical and cyber security wise.
In addition to satisfying information security audit requirements, another benefit of defining what is in scope of the ISMS is that the implementation process will allow you to at the same time define what is out of scope. In setting these ISMS boundaries it helps everyone understand the scope. A good example of this would be a 3rd party data centre, which might store and process your valuable information. It would probably be outside of the ISMS scope for the organisation from an independent ISO 27001 certification perspective as it can’t control what goes on there. Instead that boundary would be documented as a third party supplier separately managed under Annex A control A.15.
What are the common misunderstandings when considering the scope of the ISMS
A common misunderstanding when considering the scope of the ISMS is the relationship with the Annex A controls. For example some organisations believe that excluding some of the Annex A controls impacts the scope. It is actually the other way around. The scope of the information security management system will influence what is selected or required in the ISO 27001 Annex A controls. You cannot simply exclude one of the Annex A controls because you have decided that you don’t want them. Building on the 3rd party datacentre example, that would mean you have to consider Annex A 15. How far to go with the information security control objective is based on the risk you’ve considered around the information being stored and processed by that supplier, and your risk appetite in the event things went wrong.
You can exclude certain Annex A controls if there are no risks or requirements for these controls in your organisation. Taking the supplier example further, if no suppliers ever came into contact with your valuable information (identified in clause 4.1, 4.2) it could reinforce that with its scope statement (what’s in and out of scope). It wouldn’t need to include Annex A 15 controls, making them ‘not applicable’ in line with the statement of applicability. The key here is the demonstration of why you wouldn’t need to include this control which will relate back to the information security management scope clause 4.3, and clauses 4.1 and 4.2. It’s highly unlikely in practice of course that many organisations would be able to exclude Annex A 15 from the statement of applicability as most organisations today do rely on third parties for some processing and work around valuable information assets. You can bet that an external auditor would drill much deeper quickly if the organisation considered Annex A 15 as not applicable and one of the first things they would then do is go back to the ISMS scope!
Another common misunderstanding when considering the scope of the ISMS is that organisations try and take a view that by creating themselves a smaller scope, it will, therefore, mean that they will have an easier job. This is usually shortsighted. By excluding some parts of the organisation from the scope it will then mean that you have to treat them as “out of the scope” risks, which could create further problems later. Managing two different ways of working in an organisation may lead to confusion and increased risk. There are sometimes legitimate reasons for doing it however when parts of the business are fundamentally different or the intent is to start in one place (e.g. geography A) then increase that scope over time. If you are looking for independent external certification, it’s worth noting there has been an increasing move towards ‘whole organisation’ scopes and therefore your external auditor may not be prepared to accept a limited scope, unless they understand the broader intent and journey too.