In this article we’ll discuss what a scope statement is, why you need one and how to determine one for your organisation. We will also take a look at some key requirements, benefits, drawbacks as well as some example scope statements.
In the article we will cover:
Reading time: 7 minutes
Defining your scope statement for ISO 27001 is one of the first steps to building your Information Security Management System (ISMS). Despite the scope being short, it is one of the most critical stages to reaching ISO 27001 certification. In addition, the scope defines the rest of your journey to certification, as every subsequent step to compliance relates to your scope or designated application area.
The standard describes the scope statement as detailing the purpose or context of your organisation and what processes are relevant to maintaining your business. It defines the subject, boundaries, and objectives of your eventual ISMS. In writing your scope statement, the ISO compels you to understand what business processes are pivotal to your organisation, the laws and regulations you must comply with, and the parties, internal or external, that may relate to your ISMS and any dependencies they may entail.
When approaching your scope statement, you should take an inquisitive approach. Assume the role of an interrogator and ask questions about the information you need to protect. Some common questions you should ask yourself are listed and described below.
Ask yourself why you want to get certified for ISO 27001 and what problems do you want to solve in the process of building an information security management system on the road to compliance.
Ask yourself how your business operates and how you generate revenue. Your eventual ISMS will cover these core processes in great detail with identified risks and mitigations for protecting and responding to information security threats.
After understanding your core processes ask yourself, what other processes does your organisation maintain to run your business? – Think about employment, development plans, or HR.
As mentioned in the previous section, your scope statement is one of the most pivotal stages in your journey to ISO 27001 certification. This is because your scope sets out the boundaries of your ISMS from a birds-eye view. In addition, it discusses which processes or areas of your organisation are covered in the system, clearly making it very important.
Another important aspect of writing your scope is that it covers all aspects of your organisation under specific security laws and regulations. Therefore, you have a tangible way to demonstrate the implementation of your information security strategy concerning all the relevant laws and regulations governing specific processes. This can, in turn, help raise your reputation with partners and customers and improve your organisation’s overall standing with regard to regulators and other government entities.
Defining your ISMS scope directly impacts the future workload in assessing your covered assets, risk management and business processes. Despite this, your ISMS does not affect the controls you will later describe in your Annex A controls, which are later assessed separately in your Statement of Applicability.