The basics
ISO 27001 sub-clause 4.3 is called “Determining the scope of the Information Security Management System” — it requires the scope and boundaries of the ISMS to be defined considering the internal and external issues, interested parties’ requirements, as well as the existing interfaces and dependencies between the organization’s activities and those performed by other organizations.
Documentation
ISO 27001 clause 4.3 Determining the scope of the information security management system requires writing the following document:
Implementation
To comply with clause 4.3 Determining the scope of the information security management system, you need to define the ISMS scope – follow these steps:
- Decide if your whole company will be included in the ISMS scope, or only a part of the company
- (if only a part of the company is included) Take into account the security requirements for setting the ISMS scope
- (if only a part of the company is included) Take into account internal context – where is the most sensitive information processed, etc.
- (if only a part of the company is included) Take into account if the scope is feasible in terms of departments, physical locations, and processes by analyzing dependencies and interfaces.
- Define what should be excluded from the ISMS scope.
- Write the ISMS Scope document.
Audit evidence
During the ISO 27001 certification audit, the auditor will ask you the following regarding clause 4.3 Determining the scope of the information security management system:
- To show mandatory document – ISMS Scope document.
- If you took into account internal and external issues when setting the ISMS scope.
- If you took into account the requirements of interested parties when setting the ISMS scope.
- If you took into account dependencies and interfaces when setting the ISMS scope.
- If your ISMS is properly implemented in your whole scope.
If such evidence is not found, the auditor must raise a nonconformity.
