Determining the Scope of your ISO27001 ISMS
If you have taken our advice you have so far managed to work through clause for and create outputs for the other sections, 4.1 Understanding the organisation and it's context, 4.2 Understanding the needs and expectations of interested parties and 4.4 Information security management system.
What that means is that you are left now with only clause 4.3 Determining the scope of the information security management system, which should be easy enough.
ISO27001 Clause 4.3 Wording
The clause itself is pretty small, it says
The organisation shall determine the boundaries and applicability of the information security management system" which is about setting the scope or the limits of your Information Security Management System and determining what is and isn't applicable to it.
by Author
Considering your ISMS Boundaries and Applicability
You have the ability to effectively ring fence the parts of your organisation that will be in or out of the Information Security Management System scope, ISO27001:2016 Clause 4.3 is where you do this, but before you do really have a think about why you would do this, it's good to be clear why you would set a boundary on something that way when you explain it to your team (and the auditor) it will make sense.
Here are some examples (but clearly not an exhaustive list) of the considerations you may make about the scope
- Only some of the products or services you deal with need the level of information security you are looking at
- Perhaps it will be region or country specific
- Perhaps you are going to roll out your Information Security management system in stages across the organisation (this is hard to do practically when you think about it however)
- External support, or outsourced services or products may also be something you decide not to include
Documenting the Scope
When you are documenting the scope you don't need to go into pages and pages of what's in, what's out and why you just need to keep it simple so that when anyone picks up the document to look and see if your Information Security management Policy is applicable to them because they have lost their fancy internet connected watch it will be obvious.
That means that something pretty much exactly as you have already written in your ISO9001:2015 scope is perfectly acceptable here so using the example we used there:
"The scope is: provision of marketing, sales, support, development and implementation of software solutions for emergency services. Location Unit 42, 99 Letsbe Avenue, Christchurch, New Zealand."
And if you want to exclude things it's as simple as writing something like
"Exclusions of the ISO 9001:2015 standard: Clause 8.3, All Design of electronic products are provided to us by our customers, XYZ Ltd is only providing manufacturing assembly services of provided designed."
That makes it crystal clear what is in and what is out."
Polishing the Scope
his is a short section and all I'm going to say is don't, just don't spent hours trying to polish it or wordsmith it. It's not that important, nothing ever beats a plain English description (in what ever language you need it to be in) of what you are trying to say. Focus on keeping it simple and your Information security management system users will thank you and repay you by actually using the system as intended and not have to get someone to interpret each word or phrase you have carefully crafted to make it sound buzzwordy and clever. Just Don't.
Copyright
© Many Caps Consulting Ltd | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
By accepting you will be accessing a service provided by a third-party external to https://mail.manycaps.com/
Comments