What must be included in the ISO 27001 scope?

The scope must include internal and external issues. You must consider requirements from interested parties. It must also define the boundaries and applicability of the ISMS. Document these factors in a central SharePoint or Confluence repository for auditor review.

How do you justify exclusions in Clause 4.3?

You must provide a logical business reason for any excluded area. Exclusions cannot affect the organisation's ability to provide secure services. Record these justifications in your version-controlled scope document. Auditors will check these against your operational reality.

Why is a SaaS scope template insufficient?

Generic SaaS templates lack specific business context. They do not prove management oversight or cultural integration. Using native tools like Jira or SharePoint shows actual ownership. It demonstrates that the organisation has manually evaluated its own security boundaries.

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS)

What is ISO 27001 Clause 4.3 in ISO 27001?

ISO 27001 Clause 4.3 defines the boundaries of your security management. You must document this scope within your internal business tools. This ensures the ISMS aligns with your specific operational environment. It prevents generic security applications that fail to protect critical assets.

Auditor’s Eye: The Shortcut Trap

SaaS platforms often provide a generic scope statement. This is a common audit failure. Auditors want to see a scope that reflects your specific organisation. We look for evidence in your SharePoint or Confluence pages. This proves you have manually assessed your own business boundaries. Reliance on automated “green ticks” suggests a lack of management ownership. Authentic compliance requires records within your native document repositories.

Requirement	ISO 27001:2013	ISO 27001:2022
Identification of Boundaries	Required.	Required with focus on interfaces.
Documentation	Must be available as documented information.	Enhanced focus on alignment with Clause 4.1/4.2.
External Interfaces	Briefly mentioned.	Explicitly requires consideration of third-party dependencies.

How to Implement ISO 27001 Clause 4.3 (Step-by-Step)

The core requirement is defining the physical and logical boundaries of your ISMS. You must consider internal issues and stakeholder requirements. Document this scope in a controlled environment like SharePoint. This ensures all staff can access and follow the defined security parameters.

Step 1: Physical and Logical Mapping

List every office location and cloud hosting region. Use a SharePoint page to maintain this list. Define which business units fall inside the ISMS. Clearly state which departments are excluded and why.

Step 2: Contextual Integration

Review your Clause 4.1 and 4.2 documents. Your scope must address the issues and requirements found there. Link these documents in your internal wiki. This shows the auditor a logical flow between clauses.

Step 3: Interface Definition

Identify where your organisation interacts with external parties. Use Jira to log these dependencies. Define the security responsibility for each interface. This prevents gaps in your security coverage.

ISO 27001 Clause 4.3 Audit Evidence Checklist

Focus on records that prove human oversight and intent. Auditors need to see the “why” behind your boundaries.

A formally approved Scope Statement in SharePoint.
Version history showing changes following management reviews.
Minutes of meetings where boundaries were discussed.
Internal wiki pages detailng network and physical interfaces.
Documented justifications for any excluded business areas.

Relational Mapping

Clause 4.3 is the pivot point. It uses data from Clause 4.1 and 4.2. It directly defines the boundaries for Clause 6.1 Risk Assessments. Without a clear scope, your Statement of Applicability (Clause 6.1.3) becomes invalid. Ensure all internal links point back to this scope statement.

Auditor Interview: Direct Process Management

Question: How do you ensure the scope remains accurate?

Answer: We review it during every management meeting in SharePoint.

Question: Who decided to exclude the marketing department?

Answer: The Security Forum approved this based on their limited data access.

Question: Where is the record of your ISMS boundaries?

Answer: It is our primary controlled document on our Confluence site.

Common Non-Conformities

Failure Mode	Cause	Auditor Finding
Automated Complacency	Using a default scope from a SaaS tool.	Major NC: Lack of internal boundary assessment.
Hidden Interfaces	Ignoring cloud service provider dependencies.	Minor NC: Incomplete definition of ISMS boundaries.
Unjustified Exclusions	Excluding units without a documented reason.	Major NC: Scope fails to protect relevant assets.

Frequently Asked Questions

What is the main requirement of ISO 27001 Clause 4.3?

The main requirement is determining the boundaries of your security system. You must document what is in and out of scope. Use your internal document systems to store this information. This ensures the ISMS is relevant to your specific business needs. It must consider internal and external issues.

How does the scope affect certification?

The scope determines the area the auditor will inspect. Anything outside the scope is not part of the audit. However, exclusions must be justified and logical. Document these decisions in your SharePoint management area. This provides the necessary evidence of intent for the auditor.

Why use SharePoint for scope documentation?

SharePoint provides built-in version control and access logs. This proves to auditors that the scope is a living document. It integrates security into your daily organisational tools. This approach is better than using external SaaS platforms. It keeps your compliance data under your own control.

LA CASA DE CERTIFICACIÓN