ISO 27001 Clause 4.3: What’s the Point?
ISO 27001 is a rulebook for keeping info safe. Clause 4.3 is a key part. It helps you decide what parts of your company to protect. This is called setting the scope.
It’s super important to get the scope right. If you don’t, you might waste time and money. It’s like building a fence. You need to know what to put inside.
How to Set the Scope
Here are simple steps to set your scope:
- List everything. Write down all your products and services.
- Draw the line. Decide which teams and places will be in the security plan.
- Talk to people. Ask customers and leaders what they expect. Find out what they think is important to protect.
- Look inside and out. Think about problems that could hurt your company. Look at both internal issues and outside issues.
- Write it down. Create a formal statement. This is your scope document.
- Get a stamp of approval. Make sure your leaders agree with the scope.
- Tell everyone. Let all your workers and partners know what is in the scope.
What about a Certificate?
When an auditor comes, they will check your scope. They want to see that you followed the rules. You must prove that your scope is fair and makes sense.
Common Questions
- Do I have to include my whole company? No. You do not have to. You can just include a part of it. This helps to avoid a lot of extra work.
- Can I change the scope later? Yes. You can change it. But you must be able to explain why you made the change.
- What if I leave something out? You must tell the auditor about anything you left out. You have to have a good reason for it.
For a deeper dive into ISO 27001 Clause 4.3 read The Ultimate Guide to ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System