How to document the scope of your ISMS

If you’re planning to implement an information security management system (ISMS), you’ll need to document the scope of your project – or, in other words, define what information needs to be protected.

There will almost certainly be more information and more locations where information is kept than you initially think of, so it’s essential that you take the time to scope your organisation. However, this involves more than simply identifying the data stored on your systems.

Defining your scope

There are three steps to defining the scope of your ISMS. First, you need to identify every location where information is stored. This includes physical and digital files, the latter of which might be kept locally or in the Cloud. Second, you need to identify the ways in which information can be accessed. Any entry point, be it a drawer full of files or an employee’s work-issued laptop, should be noted.

Third, you need to determine what is out of scope. These are elements that your organisation either has no control over (such as third-party products) or that don’t give access to or house sensitive information. For example, your organisation’s foyer probably won’t need security controls. If for some reason you do keep sensitive information there, it would be worth relocating it to put the foyer out of scope.

A well-defined scope ensures that every area of your organisation receives adequate attention when it comes to implementing security controls. Documenting your scope is also a requirement of ISO 27001, the international standard that describes best practices for an ISMS.

What should the document look like?

Organisations often get tripped up by how to document the scope of their ISMS, either guessing or spending an inordinate amount of time researching how much detail to go into and the best way to lay out the information.

However, you can avoid that hassle by using our ISO 27001 ISMS Documentation Toolkit. Developed by expert ISO 27001 practitioners and enhanced by more than ten years of customer feedback and continual improvement, it contains a customisable scope statement as well as templates for every document you need to implement an effective ISMS and comply with the Standard.

Our customisable scope statement takes the hassle out of documenting ISO 27001 compliance.

Our customisable scope statement takes the hassle out of documenting ISO 27001 compliance.

The toolkit contains:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Find out more >>