by: Larry Kinkaid
Defining the scope of your information security management system (ISMS) is a crucial step in your security and compliance journey. The scoping statement is a core element to ISO 27001 and to any ISMS. In fact, it is included in an organization’s ISO 27001 certification to provide to interested parties who need to better understand the organization’s approach to cybersecurity and data protection.
What is Information Security Management System Scope?
The scope of your ISMS defines everything inside your security program—all of the information assets and processes that are protected and audited under the ISO/IEC 27001 process. The scope needs to be clearly defined for your customers and stakeholders so they understand what parts of your business are covered by your ISMS.
For smaller organizations, their entire technology portfolio should typically be included in the scope of the ISMS. For larger organizations, defining information security management systems’ scope may require a more strategic approach—it may not make sense to include the entire organization. For example, if the business units or sub-entities of a larger organization are very independent, the organization may choose to not include them in the scope.
In addition to clearly defining the different components of your program, the scope should summarize the purpose of implementing an ISMS. Think of it as a basis of a data security charter, which will outline every person within the organization that has infosec responsibilities.
The Purpose of Defining an Information Security Management System Scope
There are several benefits of defining a scope for the information security management system. The primary purpose of having a scope is to ensure that all interested parties understand the purpose of the ISMS as it relates to the organization. Additionally, organizations want to ensure that customers and other stakeholders are able to discern that it adequately covers the nature of their relationship to the organization.
Simply put, having a clearly defined scope that makes logical sense to your customers has several benefits, and is simply a good business practice. It demonstrates that your organization is thoughtful about security, privacy, and confidentiality of data. It can build trust with your audience and ultimately lead to more business opportunities.
How to Determine the Scope of Your ISMS
Your customers and stakeholders will help you define your scope based on their information security and risk management expectations and needs. Organizations should draft the ISMS scoping statement with interested parties in mind—namely customers, but also any vendors that they work with or anyone that could be implicated if a security program is not effective.
The ISMS scope document should include, at the very least, your highly sensitive information such as product and customer data. Security is a journey, and your ISMS can grow and change to be more strategic over time. Organizations may also want to include their internal business risks (such as employee data) as part of the program, which should also be included in the scope. The following questions may be helpful to ask when determining the scope of an ISMS:
- What are our customer commitments?
- Are there any nuances to be considered (such as applicable risks and considerations of what is material to interested parties)?
- Does it make strategic sense to split up our security into multiple programs based on our business units and/or products?
- Are we going to include internal business risks?
Typically, executive leadership is responsible for defining the scope of an ISMS—this is not a project that lies entirely with the information technology team. It should be owned by an information security committee that is sponsored by the chief information security officer (CISO). If your organization does not have a CISO, it may be helpful to hire a virtual CISO (vCISO) to assist with your information security program.
How the ISMS Scope Relates to ISO 27001
Your information security management system is at the core of ISO 27001 certification, and the scope of the ISMS indicates the areas of the business that will fall under ISO/IEC 27001 process. Before undergoing an ISO/IEC 27001 audit, it’s crucial to define this scope and ensure it is aligned with your business needs, organizational structure, location, information assets, and technologies. The scope can be as broad or as narrow as desired, covering either a small part of your organization or the entire entity, as long as all ISO 27001 requirements are applied and operational. However, keep in mind that areas outside the scope of your ISMS may be more vulnerable to cybersecurity threats and may require additional security controls.
While having a clearly defined scope is a requirement for certifications such as ISO/IEC 27001, it can also help to give direction for additional certifications or evaluations since it can be difficult to start from a blank page.
Interested in learning more about how to define the scope of an ISMS? Contact us today. As an accredited certification body, BARR is here to help you achieve ISO/IEC 27001 certification. ISO/IEC 27001 is a globally recognized framework that can help you effectively manage the security of your services, data, intellectual property, or any third-party information entrusted to you. With BARR’s expert guidance, you’ll have support every step of the way to simplify the certification process.
About the Author
Larry Kinkaid, Senior Consultant, CISO Advisory
As a Senior Consultant at BARR Advisory, Larry supports the company’s growing CISO Advisory service offerings, specifically for small-to-medium sized companies in need of a virtual CISO (or CISO on retainer). He plans and executes various engagements including readiness assessments, policy and procedure documentation, vendor risk management assessments, and external audit assistance.
He is an experienced consulting professional with a history of working in IT governance, risk, and compliance for large companies. He maintains the CISA and CRISC certifications to fortify his reputation as an IT professional in audit and risk. Larry graduated from Bowling Green State University with a Bachelor of Science in Business Administration, Information Systems Auditing and Control, and Management Information Systems.