The required activity
Clause 4.3 ISO 27001 Guidelines for Implementation
To determine the scope of the ISMS (information security management system), the organization determines its boundaries and applicability.
The information security scope identifies the subject matter and purpose of ISMS application and excludes the subjects and purposes it does not apply to. Therefore, the process of determining the scope of the ISMS is a key activity that determines the necessary foundation for all subsequent activities. Risk assessment and risk management, including the determination of controls, cannot be validated without being able to identify the specific locations where the ISMS applies. Additionally, it is critical to be aware of the boundaries and applicability of the ISMS, as well as the interfaces and dependencies between the organization and other organizations. Changing the scope later can create substantial costs and effort.
The scope can be determined by the following factors:
The external and internal factors that are discussed in Understanding the organizational and organizational context;
2. The parties concerned and their requirements that are identified consistent with ISO/IEC 27001:2013¸4.2;
3. Business activities’ readiness to be covered by an ISMS;
4. All forms of supportive services, such as functions necessary to facilitate these business activities (for example, human resources management, IT services, management of physical spaces, provision of essential services, and utility management);
5. Outsourced functions, either within the organization or to outside suppliers.
ISMS are often extremely different from one implementation to another in terms of scope.
Here are a few examples of what can be included in the scope:
– One or more particular processes;
– A single or multiple specific functions;
– The provision of at least one specific service;
– In one or more specified sections or locations;
– A complete legal entity;
– An entire administrative entity and at least one of its suppliers.
A multi-step approach is often used to define the scope of an ISMS:
1. Identify the preliminary scope: a representative group of management representatives should be appointed to conduct this activity;
2. Establish the refined scope of the work. It might be necessary to review certain units inside and outside the preliminary scope, possibly followed by excluding or including others to reduce the number of interfaces between units. To refine the preliminary scope, all functions necessary for supporting the business activities included in the scope should be considered;
3. Establish the ultimate scope: managing within the refined scope of the refinement of the scope is the most important step. Adjustments should be made, then it should be described precisely; and
4. Formal approval of the scope: the details of the scope should be documented and approved by the top management.
It is also important that the organization considers activities that have a direct impact on the ISMS, as well as those that are outsourced, either to other parts within the organization or to independent vendors. The scope of such activities should be identified as well as the interfaces (physical, technical, and organizational) that affect them.
Describe the scope of the project in document form by including:
1. The scope, boundaries, and interfaces of the organization;
2. The scope and boundaries of information and communication technologies;
3. Definition, boundaries, and interfaces of the physical scope.
1. What does Clause 4.3 of the ISO 27001 Implementation Guideline mean?
2. Describe the process of Determining the scope of the information security management system in Clause 4.3 ISO 27001 Implementation Guideline.