Lately, we have had clients struggling with properly defining their Information Security Management System (ISMS) Scope. – This article will succinctly give you everything you could ever lust to know about ISMS Scopes.
Let's understand scope interfaces and dependencies through an analogy...
As all companies know, scope creep in projects is a no-no; and properly defining scope from the outset ensures the most efficient project execution, within budget. Therefore, beware of an ever-creeping ISMS scope. Determining the ISMS scope is an essential balancing act of investment (or cyber spend), assessing your cybersecurity risk appetite and understanding the inherent nature of your organization. Moreover, no two companies are alike—so understanding your company structure, strengths and weaknesses, and business limitations/capacity will help you successfully develop an ISMS scope. Lastly, think like an auditor and think like a certification body to get the balance right.
Just to preface, this article is focused on ISO/IEC 27001:2013. The newest version of the standard, known as ISO/IEC 27001 (released October 2022)—along with its guidance ISO/IEC 27002 (publication date February 2022)—is rocking our world all over again with these new releases. Due to the nature and difficulty of initially defining any ISMS scope, this article is to provide guidance and support to anyone defining their scope.
Check out our status tracker for the new ISO 27001 release here: ISO 27001 New Release Progress (arora-solutions.com)
Getting started with the basics of the ISMS Scope:
What is an ISMS Scope: ISMS Scope Defined
How do you succeed when defining your Scope?
Frequently Asked Questions - What? How? Why? About Scope
What is an ISMS Scope: ISMS Scope Defined
As defined in ISO/IEC 27000, an Information Security Management System is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives.
The ISMS scope requirements are defined within ISO/IEC 27001 clause 4.3: "The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2; and c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented evidence."
For the purposes of this article, let’s note the two terms as stated above: “interfaces” and “dependencies”. In other words, interrelating business functions, such as vendor management, HR, procurement, supply chain, IT service desk, some accounting functions, legal compliance, and other supporting functions essential to maintaining the Information Security Management System, must be considered within the scope if that function touches processes, technology or departments within the ISMS.
Don’t want to include these support functions within your ISMS? Carving out interfaces and dependencies is possible, but it isn’t an easy task. This requires a clear definition within your scope to ensure things don’t touch and are clearly demarcated. If not properly carved out, this can lead to electrocution, or third degree burns, or just a lot of rework. Seek trained professional support here!
The scope requirements are even more clear after reviewing the requirements for Certification bodies. ISO defines its requirements for Certification bodies within ISO/IEC 27006 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems. ISO is currently updating these requirements here.
ISO/IEC 27006:2015 clause 9.1.3.5 states: "Certification bodies shall ensure that interfaces with services or activities that are not completely within the scope of the ISMS are addressed within the ISMS subject to certification and are included in the client’s information security risk assessment.”
In other words, any interfaces and dependencies related to in-scope services and processes matter, and they shall be subject to certification and risk assessment by your organization.
Think of processes and functions within the ISMS as droplets of water on a flat pane of glass. The closer the droplets get to each other, the higher the chance that they absorb each other, quickly growing into a big blob. Interfaces and dependencies leak into every core function of the business. If you have constraints within your IT department, keeping the flow of water under control requires a new way of thinking.
When in doubt—on which scope blobs to bring in and avoid—conducting a full risk assessment of each scope issue will be a necessity.
How do you succeed when defining your Scope?
1) Know your business 2) Think like an auditor 3) Think like a Certifying body.
Not only do we support clients already Certified to ISO 27001—we work with several internationally accredited Certification bodies, who assess companies on a daily basis.
Knowing how Certification bodies are thinking is a way to be properly informed.
After our discussions with Certification bodies on ISMS scope their consensus is as follows:
Properly defining your ISMS scope is essential and should be clearly written, communicated, and utilized. Defining your sites and locations under central management control of the organization will influence the time, certification cost, and risk inherent in managing the ISMS. Having multiple sites will influence your ISMS and Certification scope. Our advice: Write a clear ISMS Scope document. Ensure this matches your Certification Scope (one sentence). Include proper references to supporting policies. Don’t forget to exclude or include departments/sites/locations/areas that should be excluded or included. Handle any potential issues by risk assessing them. Make scope issues clear as day for the Certification body. Keep issues in the light: for your organization’s integrity, for continual improvement.
Your Statement of Applicability (SoA) links to the policies, systems, and departments within your ISMS scope. Improperly defining your SoA, in essence, improperly defines your ISMS scope. Our advice: Double check your SoA before a Certification audits (Stage 1 / Stage 2 / Surveillance). Make sure the SoA matches your ISMS Scope document and properly refers back to in-scope processes, not out-of-scope ones. External Certification auditors will be checking the SoA in depth to make sure it is up to date and applicable.
Limit (or expand) your Certification Scope (the one sentence statement on your ISO Certificate) to business functions, services, sites and location, which are critical to your organization’s brand reputation and clients. Confirm it is accurate with the Certification body. Again, auditors will be checking this. Our advice: Don’t bite off more than you can chew with your ISMS. But also, don’t even bother pursuing Certification if you aren’t really protecting critical information assets, systems and client information. Having an ISMS for only a small part of an organization doesn’t protect anyone from data breach and continually emerging cyber threats. We hate it: Do not "cyber wash"—you just might get HACKED or RANSOMED.
Properly risk assess areas which could impact your ISMS Scope. Our advice: By properly risk assessing and treating potential scope issues, you are proving to yourself and the Certification body that you mean business, you are operating with integrity. You show that you have your eye on the ball.
Frequently Asked Questions - What? How? Why? About Scope
For everything else you'd like to know about scope, we have developed an easily digestible FAQ around four of the most common questions and concerns businesses of all sizes ask us:
Question 1: What is the difference between Certification Scope and the ISMS Scope?
Answer:
"Certification Scope" vs "ISMS Scope": Certification Scope: A one sentence description of your ISMS appearing on your ISO/IEC 27001:2013 Certificate of Registration of the independent third-party certification body. It says everything your ISMS covers via your main business processes.
ISMS Scope: A document or written policy outlining the clear distinction of the boundaries and applicable governance, services, functions, roles and locations within your ISMS.
Question 2: How does Certification Scope compare (and link) to the ISMS Scope?
Answer:
These link because the Certification Scope acts as the high-level summary of the ISMS Scope. These scopes must match in their coverage.
Question 3: Do I need a separate ISMS for each business unit or function?
Answer:
No, but you can. Our advice is to keep one main ISMS and slowly expand the scope over time. This will increase efficiency and establish a central governance function (i.e. an ISMS Committee or Information Security Committee). If you have separate legally defined businesses, there may be a time and place for separate Information Security Management Systems. Our advice: Don't waste resources, or inflict unnecessary pain on yourself by creating more than one ISMS.
Question 4: Can I start with a limited scope ISMS and slowly expand the scope to include other areas within my company?
Answer:
Yes, as stated above, slow expansion is possible. However, this should not compromise the business by developing a scaled-down ISMS. This is akin to taking the wheels of the car. Full scope pre-certification readiness audits, gap assessments, and risk assessments are critical to ensuring all critical activities, services and functions are included within your initial limited scope ISMS.
To sum it all up again, do not substantially limit scope which can be tantamount to shameless "cyber washing". You may get hacked and ransomed because karma works that way.
About ARORA Solutions
ARORA Solutions is a human-centric auditing and technology company focused on delivering security, health and peace to people and organizations. We have a wide array of expertise in Information Security Management Systems consulting, auditing and implementation. Our track record of successful management systems audit and implementation deployments includes major companies in the information technology, consulting, healthcare, manufacturing, finance (Fintech), and food sectors.
We are committed to a sustainable world. Moreover, our company culture incorporates these four pillars in our day-to-day life, business and work:
Humans - With ethics, presence, honesty, and open ears
Security - For our data, information, privacy and safety
Health - For mind, body, the whole organism, the earth
Peace - For the world, assurance, integrity, integration, cohesion
Note: This article is not to serve as official guidance for your organization, but we hope it was informative. Please seek a professional consultant and discuss with your Certification body any implications of inclusions and exclusions of scope, in advance.