How to document the scope of your ISMS

If you’re planning to implement an ISMS (information security management system), you’ll need to document the scope of your project – or, in other words, define what information needs to be protected.

There will almost certainly be more information and more locations where information is kept than you initially think of, so it’s essential that you take the time to scope your organisation. However, this involves more than simply identifying the data stored on your systems.

Benefits of defining the scope of your ISMS

Organisations that define the scope of their ISMS will have a much better understanding of their information security environment – where their data resides, where their data is safe, what format the data is held in, and so on.

Knowing this helps you complete information security audits, particularly when it comes to understand how to approach specific risks and which controls are most suitable.

Similarly, by defining the scope of their ISMS, organisations also define what’s out of scope. Having a firm grasp of what doesn’t need to be addressed provides assurances that key parts of the business aren’t being overlooked.

For example, you might identify a third-party data processor that collects information on your behalf – like a payroll service.

You will probably have a contractual agreement with the third-party outlining mandatory information security controls, but you have no control over how these are operated, so you can’t consider it within your scope.

You should instead document the organisation and its processing under Annex A control A.15 – supplier relationships.

Defining your scope

There are three steps to defining the scope of your ISMS. First, you need to identify every location where information is stored.

This includes physical and digital files, the latter of which might be kept locally or in the Cloud.

Second, you need to identify the ways in which information can be accessed. Any entry point, be it a drawer full of files or an employee’s work-issued laptop, should be noted.

Third, you need to determine what is out of scope. These are elements that your organisation either has no control over (such as third-party products) or that don’t give access to or house sensitive information.

For example, your organisation’s foyer probably won’t need security controls. If for some reason you do keep sensitive information there, it would be worth relocating it to put the foyer out of scope.

A well-defined scope ensures that every area of your organisation receives adequate attention when it comes to implementing security controls.

Documenting your scope is also a requirement of ISO 27001, the international standard that describes best practices for an ISMS.

What should the ISO 27001 scoping document look like?

Organisations often get tripped up by how to document the scope of their ISMS, either guessing or spending an inordinate amount of time researching how much detail to go into and the best way to lay out the information.

However, you can avoid that hassle by using our ISO 27001 ISMS Documentation Toolkit.

Developed by expert ISO 27001 practitioners and enhanced by more than ten years of customer feedback and continual improvement, it contains a customisable scope statement as well as templates for every document you need to implement an effective ISMS and comply with the Standard.

Our customisable scope statement takes the hassle out of documenting ISO 27001 compliance.

Our customisable scope statement takes the hassle out of documenting ISO 27001 compliance.

The toolkit contains:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Find out more


A version of this blog was originally published on 24 May 2018.