Just like how a building is only as good as its foundation, your ISO 27001 certification is only as good as the scope of your Information Security Management Systems (ISMS). Writing the scope statement, therefore, is undeniably one of the most critical things you will do when you kickstart your ISO 27001 compliance journey.
To experience the sustainable benefits of your certification, it is vital to define the scope comprehensively to ensure coverage of your critical products, information, software, systems, subsidiaries, services, functions, processes, and geographies that need ISO certification.
But strong foundations take work. Here’s a ‘quick and dirty’ guide on how to write an ISO 27001 scope statement that works.
What is ISO 27001 Scope?
ISO 27001 scope defines the breadth of your ISO 27001 certification by the information, products, processes, services, systems, functions, subsidiaries, and geographies your organization needs to protect through its ISMS.
For instance, for a SaaS platform that manages health information for pharmaceutical enterprises (let’s call it ABC, shall we?), the scope can be defined as the design, development, maintenance, technical support, sales, and marketing of ABC.
In short, ISO 27001 scope is the information your organization wants to protect through its ISMS. Information security is defined as the confidentiality, integrity, and availability of the right information, to the right people, and at the right time.
Clause 4.3 of the ISO 27001 standard discusses the nuances of how to set the scope of your ISMS. Note that a detailed Statement of Applicability would support the scope statement.
What is an ISO 27001 Scope Statement?
ISO 27001 statement appears in your ISO 27001 certificate. It’s what your customers, prospects, and other stakeholders will read and know is ISO certified as protected by your ISMS.
In the example given earlier, the ISO 27001 scope statement can be “design, development, maintenance, technical support, sales and marketing of ABC”.
Typically, the scope statement is documented as a couple of lines to a paragraph or two and will find a place in the ISO 27001 certificate. While writing your scope statement, ensure that it covers the products and/or services, and associated functions. Your customers will derive confidence in your information security controls and infosec posture by looking at your certificate. Your scope statement, therefore, mustn’t be unambiguous; it should be written as clearly as possible.
For instance, a scope statement that reads “All information stored, processed and managed in the New York office….” doesn’t make much sense if the organization is headquartered in San Francisco, where most of its employees work. Does this mean information stored, processed and managed at their headquarters isn’t safe enough?
Writing a comprehensive scope statement elicits confidence from your stakeholders, and when you don’t, it raises more than eyebrows! An incorrect or insufficient scope statement can also raise questions from the certification auditors.
What do ISO 27001 Scope Statement Examples Include?
Before your start writing your scope statement and ponder on what you should include, it’s important to have clarity on the following organizational aspects:
- What information does your organization need to protect?
- What are the processes that are associated with that information?
Your answers to these questions will give you a distinct overview of what needs to be included in the scope statement.
The scope statement must primarily include the products and/or services your organization is looking to certify and the associated functions, locations, systems, processes, people, and subsidiaries that support its design, development, maintenance, technical support, sales and marketing. It also includes relevant laws and regulations, and standards for information security.
More often than not, it’s the easiest to include the whole organization in the scope. From people, processes, systems, and physical locations, to products, software, and others would make it to the scope then. In our experience of having helped define the scope for hundreds of cloud-hosted organizations on their ISO journey, it’s safest to take this approach. This approach, however, makes sense for small to mid-sized organizations.
Bigger organizations, or those with specific compliance needs, can limit their scope to a dedicated part, product, process, or service. While carving out a portion of your organization for your ISO 27001 scope might seem less work, it has its pitfalls. More on that later.
How to write an ISO 27001 2013 Scope Statement?
The ISO security standard doesn’t define guidelines on how long or short the scope statement must be. But you will do well to remember the scope should be centred on what your customers are buying from you, directly and indirectly, and, therefore, need assurance of your organization’s security posture.
You will find many articles on the internet that discuss writing detailed documents supporting your scope statement; these documents have network diagrams, lists, and whatnot. But guess what? It isn’t mandatory to have a detailed document. While you can still write one to support your scope statement, a comprehensive one is good enough.
Here’s a small checklist for writing an ISO 27001 scope statement.
- Do you know what information your organization needs to protect?
- Make a list of the products and/or services in scope.
- Line up the processes, people, technology, information assets and infrastructure that help deliver the listed products and services.
- Are there any exclusions (out-of-scope)? List the associated locations, processes, and other relevant headers that make it to the exclusion list.
Once you have the answers to these questions, you can write the statement of scope. Remember to keep it as unambiguous as possible. Define the scope such that it can grow with your organization.
What about exclusions?
If you want to narrow your scope to only a specific part of your organization, or pilot test it initially to a limited scope, here are some things you must consider:
- While a more straightforward scope may cost you less initially, it will also reduce your business benefits vis-a-vis a broader scope.
- The standard treats everything outside the ISMS scope as external and ‘untrustworthy’. So, you will need to define security interfaces for process and data flow that go beyond the scope.
But what about vendors?
It isn’t uncommon for organizations to use external or third-party vendors to deliver specific services. And some of them might be privy to information within your ISMS’s scope.
The organization’s vendor risk management policy should be put to use in such cases. Contracts with strict SLAs, security questionnaires, periodic audits, and reviews, to name a few, are some of the ways organizations can ensure their data is secure with their vendors.
ISO 27001 Example Scope Statement
Let’s look at ISO 27001 scope statement examples:
Amazon Web Services Scope
Gitlab’s ISO 27001 Scope
Gitlab has included what’s excluded from its scope.
Remote organizations would have similar exclusions in their scope statements too as there wouldn’t be a physical office location.
Captions’s ISO 27001 Scope
Capptions, a Netherlands-based EHS management software provider has a comprehensive yet short scope statement.
With Sprinto’s help, Captions secured their ISO 27001 certification 3x faster.
What do you have to document, and where?
The statement of scope is one of the mandatory documents as per ISO 27001 standard. It can be produced as a single document or be a part of the documentation compiled for the framework. So, document the scope and make it available to the internal and external auditors as well as the certification body.
ISO 27001 Scope Statement Template
You can’t use the many scope statement templates for your organization. As you would have realized by now, the scope is a custom definition and changes with the organization’s size, geographies, products and services, among other things.
Bigger organizations with complex offerings, such as Amazon Web Services have a different scope compared to a relatively small organization.
So, don’t fall for templates being peddled on the world wide web. Research and read the examples, but when you write one for your organization, make it yours.
How can Sprinto help?
From defining the scope for your ISO 27001 certification to building your Statement of Applicability and helping you get 100% ready for an ISO 27001 audit, Sprinto can help you navigate the entire compliance journey with ease and confidence.
Sprinto’s automated compliance platform is built to reduce human intervention. Our intelligent continuous monitoring feature makes it easier for organizations to collect evidence, and manage the entire documentation stack for the standard.