Determining the Scope Statement

The ISO 27001 scope statement is one of the first steps for building your ISMS. Although it is just a short separate document or small paragraph in your security policy, it is one of the most important aspects of the certification. The scope statement is defined in the ISO/IEC 27001:2013 under section 4. It shortly describes the purpose or context of your organization and what processes are relevant to run your business. In other words, it defines the boundaries, subject, and objectives of your ISMS. 

Some examples of scope statements include: 

Long example –  

Design, Development, Manufacturing, Operations, Sales, Customer Experience, 

Services and Support for Networking, Data Center, Communications, Video, Collaboration, and Security Products, Solutions, and Services related to the Wizbang Solution.  

Specific processes around a solution –  

Development, provisioning, and customer support of software for designing, automating, and analyzing business processes (for on-premise and cloud product offerings). 

Associated physical security –  

The physical and logical protection of customer and company data and associated information assets in use, stored, and accessed in the company office or remotely for the provision of professional services that include service management, cyber security operations, and associated consulting services.  

Key aspects to consider when developing the scope are:

• business processes that are important to operate your organization

• mandatory laws and regulations

• all interested and relevant parties (internal and external) for your ISMS or information security

• norms and dependencies 

When determining the scope, consider what your customers are concerned about and capture the processes that are used to define your scope. The ISO certificate can be a marketing tool and a market differentiator for your organization.  

Think about the business model of your organization and what processes are critical to the business. What business locations should be included, what type of information is stored, and what services and processes do the organization offer? Identify relevant and important stakeholders and key players (external and internal) and gather feedback for expectations about information security, IT security, or other areas that need to be protected. 

 The scope statement doesn’t need to be long or detailed, it simply needs to convey the processes that are going to be included in the certification. Just remember this statement will be displayed on the certificate and should accurately reflect the areas of certification.