Understanding and defining a scope in ISO27001

What is a scope in ISO 27001?
The scope of an ISMS is an important description refering to whom and what the ISMS applies to. Every certification audit will usually address the scope wording directly after the opening meeting on the first day. Hence, you really need to understand what must be part of the scope and how to formulate the wording so that you do not create for yourself a non-conformity.
Following steps lead you to narrowing down items that belong into the scope:
- Identify what information your organisation stores, processes and manages.
- decide what information in your organisation is going to be managed by your ISMS.
- Conduct a risk assessment for the vulnerable and sensitive data
You can ask yourself following questions to gain clarity in your mind:
- Will it cover all the information in your organisation or just some of it?
Once you know what information is going to be managed by your ISMS, you then need to figure out what this means for your organization:
A risk assessment is necessary to understand how vulenrable the data is, that you need to protect. This will help you understand and group data by their sensitivity and their risk exposure as well as the potential consequences of an incident. Hence, your risk assessment is used to help decide this.
Best ways of segmenting a scope
In order to allow a scope to be more than just a teethless tiger is by having a top level definition consiting of maybe 1-3 sentences. Then you break down the scope into segments, so that locations, systems and organizational units are clearly assigned to the ISMS scope.
The factors and options that you might use to decide what information to include in a scope includes:
- By service: All information stored, processed for maintenance services
- By client: All information stored, processed and managed for client XYZ.
- By location: All information stored, processed and managed in the London office.
- By business department: All information stored, processed and managed by the legal department
- Based on the type of information: All client information stored, processed and managed
Alternatively you can go very generally: The whole company or some part of the company:
- All information stored, processed and managed by the company
Smaller businesses will often have simpler scope descriptions as the organization is not as complex as a multi-national corporation.
Method 1: The difficult way to decide a scope
The methodology in ISO27001 allows you follow a standard workflow towards scripting your scope:
- understand your external and internal issues and you understand your interested parties.
- understand your organisation and your context.
You must your organisation as a whole and not just about whatever scope you have in mind. Sometimes people see the scope on competitors certificates. This gives you an idea but often misguides people to drafting a scope matching the competitor but not their own business reality.
From her you need to define a scope based on these factors. The authors of the ISO 27001 standard had intended to give an iead what needs to be in a scope but did not really intend set their suggestions as the ultimate principle. Hence, you need to prevent sticking too much to the standard’s wording. Draft the scope based on your business modell.
In some audits a certification auditor may challenge a scope, that does not reflect the true nature of the business.
Method 2: The creative way to decide a scope
Most organisations will choose a scope based on some of the following:
- Their customers or marketing department tells them they need to do.
- Based on the idea of a draft scope.
- The minimum possible, that you need to get a certificate
This is where you need to try to be less cryptic or less oversimplified. The scope may be scaled across the organization over time, that is why you do not need to have every business unit and location to be part of the scope. If you bloat your scope, your ISMS project will suffer endless scope creep.
Once you gained your certificate it is much easier to gradually add other locations, as the time and resource constraints will not disable your regular business activities.

What about a scope that covers information in a part of the organisation?
If you decide to define the scope as information in a part of the company then this could include information managed by a business function, a service or a location. Your risk assessment will help you locate areas in your business and infrastructure, where an incident may occur. This also should show you, where a data leak could endanger the survival of your organization.
Your objective of implementing an ISMS is to improve the resilience of the organization so that the information in the scope will be safe. This should not result in a spending spree on the most expensive and fancy technological solutions but in a reasonable approach towards improving the security from an organizational and technical perspective.
In orther words, your ISMS has to manage those items that can affect the information security of the information in your defined scope.
Scope example: accounting services
Lets have a look at the following scope example:
“All client information stored, processed and managed associated with the delivery of the accounting services.”
If your company is offering outsourced accounting services, then your clients will be submitting their papaerwork or digital invoices for processing. If you are also providing legal services, then the above scope will not include the work area of the legal teams.
Hence, the physical and digital infrastructure (in the scope) will need to include everything that touches the accounting service delivery. Where a system is used by legal and accounting teams, the system will have to be included in the risk assessment, as the non regulated legal team may expose the accounting unit to unforseen risks. Furthermore, you need to include the buildings which are occupied by the accounting teams. If the legal team is so intensively knitted together with the accounting units, it might be inevitable to include the legal team in the scope.
When a building is used by multiple business units at the same time, physical risks can require additional security precautions. You need to consider such aspects, too. As previously mentioned, companies with multiple business units need to segment their networks to mitigate the risks of hacking or virus attacks. When your scope doesn’t covers the entire organisation, then you need to increase the segmentation of your digital infrastructure.
Don't forget your external suppliers
In order to be efficient and focused on your own key areas of expertise, your organization will often use external suppliers. These may be IT service companies, SOC as a Service Operators or even external programming teams. These external suppliers can endanger your sensitive data, which you have decided to protect. Hence, you need to evaluate the risks of doing businesswith such particular external suppliers. You can mitigate risks via insurance contracts, contracts tems and fines, supplier audits, reviews, monitoring performance and 3rd party questionnaires. Certification auditors will sample your supplier management activities in order to understand whether your ISMS is effective in this sensitive area.

How do you document the scope?
Generally you can go the top down approach by formulating a general scope and then breaking it down by locations, business units and systems. If you want to go even deeper, you can then drill down to services and products which might be using information, the ISMS intends to keep safe. Some people believe that having a detailed scope creates a lack of flexibility when it comes to updating or modifying the scope. This is not necessarily a dead alley. It is merely a matter of how you structure your scope paper and present it to the certification body of your choice.
A scope statement might hurt your revenue
The scope statement is there to guide your organization, as well as provide a brief overview to potential business partners, what your ISMS is intending to protect. The wording should be smooth and not erratic. The best way to test your scope is by imagining reading this chosen wording on a certificate provided to you by a potential supplier. Do you like it or are you scared of providing them your data?
Here some examples of weird scope statements:
- “All the client information stored, processed and managed by the organisation”.
Hidden message: this organisation doesn’t care about personnel data. - “All information stored, processed and managed by the payroll department”.
Hidden message: this organisation is not protecting customer data. - “All client information stored, processed and managed except the Engineeering department”
Hidden message: this organisation has information security issues in the Engineeering department. - “All the client information stored, processed and managed by the organisation excluding the Liverpool office”.
Hidden message: this organisation has severe information security deficits at the Liverpool office.