ISO 27001 scope statement… sounds a lot bigger than what it is. In actual fact, creating one is quite straightforward. In this scope statement guide, we tell you the what, how and why of writing an ISO 27001 scope statement.
We’ve added a few examples, a downloadable template and a super-cool and informative video starring our very own compliance innovator, Mari E. Curious.
What more could you want?
Why do you need a scope statement?
In their article ‘ISO IEC 27001 Certification’, TUV states that organisations implement an ISMS to:
“Protect data that is crucial to the business, mitigate risk and ensure stable operations, provide confidence to stakeholders and customers.”
The ISO 27001 scope statement is a commitment to and a reflection of this ambition. In addition, not only is it the sole mandatory piece of information that you need to provide within the scope segment of the standard, but also the most important.
According to Best Practice Biz, ‘The concept behind the scope statement is to let you understand the following:
- Laws and regulations you must adhere to
- Interfaces and dependencies you have with other models
- Internal and external issues relevant for your ISMS information security
- Processes and security controls needed to operate your business’
The ISO 27001 scope statement defines:
- What your business does.
- What important information is covered by the ISMS.
- Why security is important for your organisation.
- Which parts of your business are certified.
It’s what appears on your ISO 27001 certificate for all the world (well, not all the world, but you know what we mean) to see.
In short, it’s what your customers care about when it comes to security.
What’s the scope of ISO 27001?
The ISO 27001 scope itself defines everything – from data to products, processes to services, systems to geographies – that is protected by your ISMS. It also defines everything that isn’t protected.
In order to correctly compile your organisation’s scope, you must determine the boundaries and applicability of the ISMS.
This means examining any external and internal issues that you will find defined in clause 4.1 of the ISO 27001 standard, understanding the needs and expectations of interested parties (4.2), and determining the links between activities performed by your organisation and external organisations.
Examining and understanding which parts of the business are involved in creating, accessing or processing your valuable information assets, and carrying out a risk assessment will keep you on track when defining the scope of your ISMS.
Why is defining your ISO 27001 scope so important?
Whatever goes into your scope must be covered by your ISMS; whatever is outside the scope doesn’t have to be covered by your ISMS.
So, if you leave something out of the scope that should have been in the scope, you could end up with some unwanted security issues, unprotected data and unsatisfied clients and/or stakeholders.
If you put something in the scope that needn’t be there, you’re just making more work for your team and potentially spending money you don’t really need to. Also, too broad a scope isn’t agile in terms of allowing for changes in technologies and features.
How do you write a scope statement for ISO 27001?
Your scope statement is a summary of your scope and should make it clear to your customers that what they are purchasing from you, whether it’s a product or a service, is covered by your ISMS.
Additionally, when writing your scope statement, answer the following questions:
- What does my organisation do?
- Which products or services are in scope?
- Which information do we need to protect?
- What processes are associated with that information?
- Are there any exclusions (places, processes etc) that can be left out of the scope?
Let’s apply these questions to a fictional company to see how they work to shape a scope statement. We’ll call the company FindMyPet.
- What does my organisation do?
FindMyPet reunites pets and owners…
- Which products or services are in scope?
… using scanner technology and microchips…
- Which information do we need to protect?
…that store customers’ personal data (name, physical address, phone number)…
- What processes are associated with that information?
…that is also stored in a central database located at our offices in Dogtown…
- Are there any exclusions (places, processes etc) that can be left out of the scope?
…which is not accessible to anyone other than our IT department.
All together now:
FindMyPet reunites pets and owners using scanner technology and microchips that store customers’ personal data (name, physical address, phone number) that is stored in a central database located at our offices in Dogtown which is not accessible to anyone other than our IT department.
Common mistakes to look out for when creating your scope statement
As with anything ISO related, you should always be aware of potential pitfalls. Although the scope statement is a simple and short piece of work, it should be precise and clear excluding extraneous items and including anything that you deem worthy of ISMS protection.
Not understanding what information your organisation stores, processes and manages might lead to you leaving a vital element out of your statement.
To make sure that you know everything there is to know about the data that your company handles, you may want to look into attending professional compliance sessions.
Everything that falls outside the defined scope is deemed to be unsafe, so leaving out anything that your customer might not want to purchase because it hasn’t been certified is not a great plan.
Your scope statement should be neither too ambitious nor too ambiguous. Don’t aim too high and include every department, every person and every last piece of data. At the same time, don’t try to decrease your implementation costs by squeezing your scope.
Also read: Top 10 ISO 27001 Certification Software Tools
Examples of good ISO 27001 scope statements
To help you start your own scope statement, here are some examples of good scope statements. As you can see, they appear on the ISO 27001 certificate and refer back to the Statement of Applicability.
1. BSI’s ISO 27001 scope statement
In our first example you can clearly see that Online Computer Library Center’s ISMS applies to information security activities associated with the company’s management services, resource sharing, metadata services, discovery and reference, and internal infrastructure report. Note how the Statement of Applicability is referred to.
2. MGM Technology Partners’s ISO 27001 scope statement
MGM states the nature of their business (Advising clients in Public Sector, Insurance and eCommerce on the digitalisation of their business and IT processes; Software development for business-critical applications, management consulting for specialised and IT departments and testing and implementation of web security).
They don’t, however, explicitly state what the ISMS applies to. We can assume, therefore, that their ISMS covers everything related to all their activities and products.
3. Monday.com’s ISO 27001 scope statement
Monday.com’s scope statement is very clear. Their ISMS applies to the IT operations department related to developing, marketing, selling, promoting, supporting and designing a work OS for managing teamwork, running workflows and processes, and hosting content and files.
ISO 27001 scope statement template (download)
We’ve drafted a basic ISO 27001 scope statement template you can use.
This template can be used either as a ‘fill-in-the-gaps’ template or as a guideline for creating your own scope statement.
Don’t delay, write that ISO 27001 scope today!
Lastly, it takes time to be brief, so start compiling your scope statement as soon as possible. Remember not to be too ambitious or too ambiguous and make sure you understand what information your company handles.
To get help from professionals or to start using the very best DIY compliance tool on the market today, book a demo with Compleye.
