Table of Contents:
Determining the in-scope headcount for your ISO 27001 Information Security Management System (ISMS) is an essential step in preparing for certification. Your headcount reflects the number of people directly involved in performing the processes covered by your ISMS, and its accuracy influences the required audit time and overall management of the ISMS.
Ensuring this headcount is well-defined and comprehensive will streamline your audit, help your certification body adequately budget time for the audit process, and support the successful implementation of security measures aligned with your business operations.
What Is In-Scope Headcount?
The term “in-scope headcount” refers to the employees and contractors directly involved in performing the activities governed by your ISMS. This includes people across various departments who contribute to the development, maintenance, and security of the systems, processes, or services within the defined scope.
For example, if your ISMS covers the development and operation of a Software-as-a-Service (SaaS) application, your in-scope headcount would include developers, DevOps engineers, system administrators, and, depending on how they interact with the development process, potentially corporate IT.
Key Considerations for Determining Headcount
When identifying your in-scope headcount, consider these critical factors:
- Processes Involved: Identify all processes that are part of your ISMS. For a SaaS platform, this might include software development, system operation, and incident response management.
- Dependencies Between Departments: Consider how different departments interact. For example, while development may be the primary process, corporate IT may also fall under the ISMS if their activities support or influence development.
- Third-Party Involvement: If external partners or vendors play a role in your information security processes, include them where relevant.
- Workforce Structure: Include full-time, part-time, and contract workers who contribute to ISMS activities. Even part-time workers should be accounted for, based proportionally on their contribution to relevant tasks.
5 Steps to Define Your In-Scope Headcount
Step 1: Identify Core ISMS Processes
Start by identifying the processes that fall under your ISMS. For example, if your ISMS covers a SaaS platform, you would include software development, operations, and maintenance. Focus on the roles directly involved in these processes.
Step 2: List Departments Involved
Once the core processes are defined, determine which departments or teams are responsible for these activities.
Step 3: Map Dependencies
Evaluate the dependencies between departments. For example, if corporate IT provides critical support for the SaaS platform’s security or infrastructure, they should be included in the in-scope headcount and noted within the scope statement interfaces and dependencies.
Step 4: Include External Parties
If any external contractors, consultants, or service providers are responsible for aspects of the ISMS processes (e.g., outsourced security monitoring), be sure they are accounted for in the headcount.
Step 5: Determine Your In-Scope Headcount
While it’s not a requirement of the standard to document your headcount formally, you should have a clear number in mind to provide your certification body. This headcount is essential for helping them accurately determine the number of days required for the audit and ensuring that all critical components of your ISMS are covered.
Common Pitfalls to Avoid When Determining In-Scope Headcount
- Underestimating Third-Party Involvement: Forgetting to include external vendors or consultants can lead to incomplete ISMS coverage.
- Excluding Support Teams: Teams such as IT or HR may not appear directly linked to your ISMS at first glance, but they often provide crucial support, especially in areas like security or access management.
- Overcomplicating the Headcount: Including roles that don’t impact the ISMS directly can inflate the headcount unnecessarily, leading to longer audits and higher costs.
Who Can Be Excluded From Your ISMS Headcount
In many cases, departments like sales, marketing, or customer service may have little to no impact on the ISMS and can often be excluded from the headcount. These departments typically do not handle sensitive information or perform activities that fall within the ISMS’s security scope. However, it’s important to assess each department based on their involvement with information security to ensure there are no overlooked risks.
While it’s common to exclude non-relevant departments, some organizations choose to include the entire company within the ISMS scope. If you decide to include all departments, including those with minimal information security involvement, there are options to reduce the audit days based on the reduced risk associated with certain activities.
In these cases, you should speak with your certification body to explore opportunities for reducing audit time while ensuring the ISMS remains effective and compliant.
The Role of Cross-Departmental Teams
In many cases, multiple departments contribute to the activities under your ISMS. Involving cross-departmental teams during the headcount determination process ensures no critical roles are overlooked.
Collaboration across departments can also help identify any indirect roles that contribute to maintaining the security of information assets or systems. By involving stakeholders from different areas, such as HR, IT, and legal, you ensure a more comprehensive view of who should be included in the ISMS scope.
By carefully identifying the personnel involved, whether selectively or company-wide, and documenting their roles clearly, you can optimize the audit process and align your ISMS with both business and security objectives.
If you have questions about defining your ISO audit scope or need assistance with your compliance efforts, we’re here to help.
