Analysis Act 25
Contact Us
Standards & governance
3 February 2023

ISO27001 – Clause 4.3 – determining the scope of the security program.

The scope of an ISMS (Information Security Management System) is crucial, as it defines the direction and objective that the security team must follow.

Direction – Photo by Nick Fewings on Unsplash

The scope of the Information Security Management System (ISMS) is the set of activities, processes and resources included in the Information Security Management System.

The scope determines the limits of what is covered by the ISMS and what is outside its scope.

It is necessary to determine the scope of the ISMS to ensure that all important aspects of information security are taken into account, and to avoid wasting resources managing aspects that are not important to the business.

Clause 4.3 a) and b) define scope

There are several steps to determining the scope of the ISMS:

  1. Define information security objectives to determine what should be included in the scope of the ISMS. Information security objectives can include classic aspects such as confidentiality, integrity and availability to protect sensitive data, disaster recovery, regulatory compliance, etc.
  2. Know the risks to know which activities, processes and resources should be included in the scope of the ISMS.
  3. Define areas of information security to be included in the scope of the ISMS. These may include access management, incident management, vulnerability management, backup management, business continuity management, etc.
  4. Identify key players who will be involved in implementing and managing the ISMS. These may include employees, partners, suppliers and regulatory authorities.
  5. Determine whether all business lines are included and covered by the scope of the ISMS.
  6. Once the above items have been included in the definition of the scope, it is also necessary to define the limits based on information security objectives, risk assessment, security domains, information and key players. Scope boundaries can include systems, data, processes, sites, people, etc.
  7. Check and validate the scope to ensure that it is complete and consistent by seeking feedback from stakeholders and comparing the scope boundaries with the standards and regulations that apply to your organization and its context.

It’s important to note that the scope of the ISMS can vary according to the needs and objectives of each company, so it’s important to review it regularly to ensure it’s still relevant and adapted to changes in the business.

Clause 4.3 C) – Interdependence

To determine the interfaces and dependencies of the organization’s activities with those carried out by other organizations, there are several ways of doing this and sources of information:

  1. Review the organization’s business processes and those of other organizations. This can be done using tools such as process flow diagrams.
  2. Analyze the organization’s data to discover whether there are any dependencies between the data used by different organizations. This can be done using tools such as entity-relationship diagrams or data models.
  3. Review the interactions between the systems used by different organizations. This can be done using tools such as system diagrams or network diagrams.
  4. By talking to the employees of these organizations, since they may be dealing with other organizations in the course of their work.

Example of scope

  • Protect our customers’ confidential information in accordance with the declaration of suitability dated xx/xx/xxxx..;
  • The purpose and scope of this ISMS is to preserve the confidentiality of information exchanged by customers and the availability of its IT systems providing services to users of the service which covers the activities of ABC’s customer operations monitoring and security center in accordance with the declaration of suitability dated xx/xx/xxxx…;
  • The ISMS applies to the development and support of contact center services in accordance with the declaration of suitability dated xx/xx/xxxx.
  • The core area of the ISMS will be the governance of data protection for ABC and its customers. Areas include the software development lifecycle, customer success, internal IT systems, the customer acquisition process and ISMS administration, all in accordance with the applicability statement version 3 dated xx/xx/xxxx.

Declaration of applicability

The declaration of applicability is a formal document that describes the information security processes and controls in place within the organization, and how they meet the requirements of the ISO 27001 standard.

The document typically contains the controls listed in Annex A of ISO27001, and you need to determine which are applicable and which are not.

The purpose of this document is to indicate which areas of the company are covered by the implementation of information security, and which are not.

The applicability declaration is important because it:

  1. Prove compliance with ISO 27001: by demonstrating the information security controls in place.
  2. Guide the implementation of information security: by describing the information security controls in place, the declaration of applicability can serve as a guide for the implementation of information security within the company.
  3. Facilitates communication: the applicability statement can help communicate information security policies and processes to employees, business partners and other stakeholders.
  4. Improves transparency: the applicability declaration makes information security controls more transparent to stakeholders.

The scope of the organization is based on the declaration of applicability, since it is possible to exclude items, but our ISO27001 compliance status is based on what the organization declares to be applicable and non-applicable.

The applicability declaration will be reviewed in greater depth in section 6.1.3 of ISO27001.

Open to the public

It is important to bear in mind that the scope defined by the organization will also be recorded on the certificate issued when ISO27001 certification is obtained by the chosen certification body.

It’s an opportunity for the organization to communicate its values and objectives to its partners, reassuring them of the seriousness of its approach.

The certificate received could be shared with a large number of people, including on your website, to inform your customers and business partners that you have an ISMS in place and that it has been validated and confirmed as compliant with ISO27001.

For example, if your customers and partners have confidentiality requirements, it would be appropriate to state in the scope that it is the company’s objective to maintain the confidentiality of information received by its customers.

Also, if you offer cloud services, demonstrate to your customers that infrastructure availability is an element that the organization also considers important.

Success criteria

To determine whether we have met clause 4.3 of ISO27001, here are some questions an auditor might ask:

  • Where is the organization’s scope documented?
  • How are the organization’s internal and external issues taken into account?
  • Are your customers’ requirements included in the scope?
  • Show me the documentation of interfaces and dependencies between your organization’s procedures and those of other organizations.
  • How did you check that the defined scope covers all requirements?
  • What is the version of the declaration of applicability?
  • How many non-applicable items do you have and why don’t they apply to your organization?

I invite you to click on “Follow” to continue learning more about the field of information security.

Patrick Boucher
President and founder
25+ years of experience in security, ethical hacking, business continuity
Contact us

Sticky Services form

Want to work with us?

Tell us about your challenges. We’ll quickly see if we’re the right team for you.
Let's talk