Part of ISO 27001 compliance is establishing the scope that the Information Security Management System (ISMS) covers. This part of the requirements communicates the exact areas that fall under the ISMS and which fall outside of it. Auditors refer to the scope documentation to see whether it aligns to the policies that an organisation has in place.
When companies create a scope for their ISMS, they need to determine what falls out of the scope as well. In most cases, anything that concerns the way the businesses works with secure information and the stakeholders involved would be relevant.
Creating the scope for ISO 27001 is a four-step process:
- Developing the preliminary scope that involves all possibilities that may be included.
- Refine the scope by examining each element to see whether it should stay.
- Create the final scope for the ISMS.
- Receive approval of this scope.
The Benefits of a Clear Scope
A clear scope leaves no questions over the parts of the business that are covered by the ISMS. Customers, external parties and employees can refer to the scope to understand the information security management in place.
Anyone can look at the scope and immediately know whether the information is secured through the systems, policies, procedures and treatments in place for potential risks.
ISO 27001 covers the organizational, physical, and technology scope. The interfaces and dependencies of the organisation and external parties also fall under the scope.
External interested parties covered in the ISO 27001 scope include customers, regulators, investors, industry associations and shareholders. The internal interested parties are senior management, information security analysts, asset owners and end users.
Business activities can impact the overall scope of the ISMS, as well as support functions that change these activities. For example, IT software applications are necessary for these procedures. Outsourced functions cover both internal parties and third-party suppliers and should be considered in these requirements.
The scope of the ISO 27001 shows organisations what the ISMS covers and the areas that fall outside of this scope. Businesses can guide the decisions of senior management and information security teams when they're evaluating the security measures that should be in place to protect secured data.