ISO 27001 is a rulebook for keeping info safe. Clause 4.3 is a key part. It helps you decide what parts of your company to protect. This is called setting the scope.
It’s super important to get the scope right. If you don’t, you might waste time and money. It’s like building a fence. You need to know what to put inside.
What is ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System (ISMS)?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Determining The Scope Of The Information Security Management System (ISMS)”.
What is the ISO 27001 Clause 4.3 control objective?
The formal definition and control objective in the standard is: “The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2;
c) interfaces and dependencies between activities performed by the organization, and those that are
performed by other organizations.
The scope shall be available as documented information.“
What is the purpose of ISO 27001 Clause 4.3?
The purpose of ISO 27001 Clause 4.3 is “To ensure a clear and well-defined scope for your Information Security Management System (ISMS) and your subsequent ISO 27001 certification. This clarity helps establish:
Which parts of the organisation are included within the boundaries of the ISMS.
The specific areas that will be assessed during the ISO 27001 certification audit.
By defining the scope, you can ensure that your ISMS is focused on the most critical areas and that your certification accurately reflects the extent of your information security efforts.”
Is ISO 27001 Clause 4.3 Mandatory?
ISO 27001 Clause 4.3 (Determining The Scope Of The Information Security Management System (ISMS) in the 2022 standard) is a mandatory clause in the main body of the standard.
How to Set the Scope
Here are simple steps to set your scope:
- List everything. Write down all your products and services.
- Draw the line. Decide which teams and places will be in the security plan.
- Talk to people. Ask customers and leaders what they expect. Find out what they think is important to protect.
- Look inside and out. Think about problems that could hurt your company. Look at both internal issues and outside issues.
- Write it down. Create a formal statement. This is your scope document.
- Get a stamp of approval. Make sure your leaders agree with the scope.
- Tell everyone. Let all your workers and partners know what is in the scope.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- Check that you have documented your ISO 27001 scope
- Look for evidence that you have implemented the scope
- Look for evidence that the scope was approved
ISO 27001 Clause 4.4 FAQ
- Do I have to include my whole company? No. You do not have to. You can just include a part of it. This helps to avoid a lot of extra work.
- Can I change the scope later? Yes. You can change it. But you must be able to explain why you made the change.
- What if I leave something out? You must tell the auditor about anything you left out. You have to have a good reason for it.
