ISO/IEC 27001:2022 describes the requirements for implementing an Information Security Management System (ISMS).
One of the crucial steps in this process is the creation of a precise and clear ***definition ***the scope of ISMS.
I’ve already talked about this subject here.
Today, I’d like to focus on writing that staff, that simple phrase that ends up on your certificate!
With this simple sentence, this definition establishes the limits and applicability of ISMS for the organization.
In other words, it’s the equivalent of the safety program’s mission. The scope aims to answer a fundamental question: “** Why do we implement a safety program? **”
magnifying glass – Photo by Clay Banks on Unsplash
The clear span allows :
- Align the ISMS with strategic objectives: ensure that the security measures put in place enable the organization’s mission to continue.
- Identify critical assets: focus efforts on protecting information essential to the organization.
- Facilitate resource allocation: optimize the use of human and financial resources by targeting priority items.
- Ensure regulatory compliance: guarantee that the ISMS covers legal and regulatory requirements.
Here are some examples of scope definitions
Example 1: Manufacturing company
Context: A company producing electronic components wishes to protect its industrial secrets and ensure the continuity of its operations.
Scope of the ISMS: “The ISMS covers the design, production and maintenance processes for electronic components at the Toronto and Montreal sites, including the R&D, production and IT support departments.”
Example 2: Financial services company
Context: A financial institution offering online banking services wants to secure its customers’ sensitive data and comply with current regulations.
ISMS scope: “The ISMS encompasses online banking, the IT infrastructures supporting these services, as well as risk management and compliance departments, across all Canadian offices.”
Example 3: IT service provider – Monitoring and operations
Scope of the ISMS: “The aim and scope of this ISMS is to preserve the confidentiality of information exchanged by customers, and the availability of IT systems providing services to users. This covers our customers’ operations monitoring and security center activities
Example 4: Contact center development and support
ISMS scope: “ISMS applies to the development and support of contact center services.”
Example 5: Governance and the software life cycle
Scope of ISMS: “The core area of ISMS is the governance of data protection for ABC and its customers. Areas covered include the software development lifecycle, customer success, internal IT systems, the customer acquisition process and ISMS administration.”
Example 6: Protecting confidential information
ISMS scope: “Protecting our customers’ confidential information”.
Why mention the applicability declaration in the scope of the ISMS?
A phrase recurs at the end of scopes in the ISO 27001 world:
“… in accordance with the applicability declaration version 1.0 dated xx/xx/xxxx.”
It’s no coincidence that it’s included on every scope: it’s an implicit requirement of the standard, and an explicit expectation of certification bodies.
What the standard says
ISO/IEC 27001:2022 does not literally require this phrase to be written into the scope, but it does impose two key obligations:
- Clause 4.3: The scope of the ISMS must be determined and documented, taking into account interfaces, dependencies and stakeholder requirements.
- Clause 6.1.3: the organization must draw up a declaration of applicability (SoA) that identifies the relevant measures in Appendix A, justifies the inclusions and exclusions, and documents the version.
So, for an auditor to be able to verify the consistency between the declared scope and the measures actually in place, the scope must be attached to a precise, dated version of the SoA. Hence the importance of this final statement.
When an auditor reads the scope of an ISMS, he should be able to :
- Make an immediate link with existing controls;
- Understand which exclusions are justified in the SoA ;
- Identify the exact version of the declaration on which the entire management system is based.
This traceability is essential to ensure that the scope is not theoretical, but rooted in a concrete, up-to-date risk analysis.
Formulation example
“The ISMS covers IT infrastructure development, support and management activities for the Montreal and Quebec City offices, in accordance with the applicability statement version 3.1 dated April 4, 2025.”
*Seeing this formulation reinforces the assurance that the ISMS is alive and well within the organization. All documents are interlinked. *
Best practices and pitfalls to avoid
- Involve stakeholders: work closely with all the entities concerned to ensure a comprehensive definition of the scope.
- Avoid too broad or too narrow a scope: too broad a scope can dilute efforts, while too narrow a scope can leave vulnerabilities unaddressed.
- Regularly review scope: adapt scope to organizational, technological or regulatory changes.
- Clearly document exclusions: any exclusion must be justified to avoid any grey areas during audits or assessments.
Success criteria
Here are a few questions an auditor checks when looking at an ISMS scope:
- Is the scope sentence clear, simple and understandable so that you know what is covered by the security program?
- Are geographical boundaries clear, e.g. are sites and addresses documented?
- Are the units, services and processes included in the scope unambiguously identified?
- Are exclusions justified and well documented?
- Are links with external suppliers or services covered in the scope or treated as dependencies?
Without a clear definition of the scope of the ISMS, the entire security program is at risk. Teams run the risk of moving in all directions without knowing what’s really important… or what isn’t. A well-defined scope is the foundation of an effective, coherent and relevant ISMS.
I invite you to click on “Follow” to continue learning more about the field of information security.