Table of Contents:
Defining the scope of your ISO 27001 Information Security Management System (ISMS) or Privacy Information Management System (PIMS) is a crucial early step for certification. The scope sets the boundaries of what your audit will cover, ensuring your most valuable information and processes are protected and aligned with your business goals.
After defining your scope, the next step is creating a scope statement—a concise declaration that will appear on your certification certificate. This statement outlines the specific boundaries within which your ISMS or PIMS operates and publicly affirms your commitment to information and privacy security.
What Is the Audit Scope?
Your audit scope defines the parts of your organization, processes, locations, and information assets included in your ISMS or PIMS. This scope must be clear and aligned with your business objectives to ensure your ISMS/PIMS is operating ethically and is effective in protecting your critical information.
A well-defined scope helps your organization focus its efforts where they matter most and makes the certification process smoother by preventing unnecessary complexity.
Key Considerations When Defining the Scope
When defining your audit scope, consider these key factors:
- Organizational context: Align the scope with your objectives, external obligations, and critical processes, ensuring regulatory compliance.
- Locations: Identify all locations where sensitive information is handled or AI development takes place. This usually includes offices, data centers, and third-party sites.
- Information assets: Determine which assets, such as databases, software, and documents, need protection under your ISMS or are part of your PIMS.
- Processes: Define crucial processes for information and privacy security, from HR handling data to IT managing storage and transmission.
- Third-party relationships: Include any suppliers, vendors, or partners who access or manage your information assets.
5 Steps to Define the Audit Scope
Step 1: Analyze Your Organizational Context
Understand the business objectives, stakeholders, and legal requirements that may impact your information security or PIMS.
Step 2: Identify Critical Assets and Processes
List key digital and physical assets, as well as processes vital to your operations. Focus on what needs protection.
Step 3: Define Boundaries
Clearly outline the geographical and operational boundaries of your ISMS or PIMS. Specify which departments or locations are covered.
Step 4: Consider External Parties
Assess third-party relationships. Include any vendors or service providers that may impact your information security or PII.
Step 5: Document Your Scope
Write a clear document covering all locations, processes, and assets within your ISMS and PIMS. This will form the basis for your scope statement.
How to Write Your Scope Statement
Once you’ve defined your scope, it’s time to write your scope statement. This statement, which will appear on your certificate, is a public declaration of what is covered by your ISMS or PIMS. It should be clear and concise and reflect the boundaries you’ve established.
ISO 27001 Scope Statement Template
The scope of certification encompasses the Information Security Management System (ISMS) governing [insert key processes, services, or products covered by the ISMS, e.g., the organization’s SaaS application]. This includes [list key activities or departments involved, e.g., the design, development, deployment, and maintenance of the application]. The organization [insert operational details, e.g., operates entirely remotely / has operations across multiple sites / includes specific locations], with [insert any relevant details about physical locations, e.g., a designated mailing address used solely for correspondence purposes].
This certification aligns with ISO 27001 standards and is based on the Statement of Applicability (SoA) [insert version number and date, if desired—e.g., version 1.1 dated March 25, 2024].
Instructions for Completing the Scope Statement Template
Key Processes, Services, or Products:
Clearly state what the ISMS governs. This might include specific products (e.g., a SaaS application), services (e.g., managed IT services), or general operations (e.g., data processing).
Activities or Departments Involved:
List the activities or departments included in the scope. This could involve the design, development, maintenance, operations, support, or other relevant activities tied to information security.
Operational Details:
Specify whether your organization operates remotely, across multiple sites, or in specific locations. If the organization is remote, mention any physical mailing addresses and clarify if these are not operational locations.
Statement of Applicability (SoA) (Optional):
Including the SoA version and date is common but optional. If included, mention the version and date of the SoA your certification is based on.
Sample Scope Statements
Sample Scope Statement for ISO 27001 (ISMS) with locations
The scope of certification encompasses the Information Security Management System (ISMS) governing the organization’s “SecureVault 360” cloud-based data security and storage solution. This includes the development, operation, and customer support processes involved in managing the “SecureVault 360” platform. The organization operates across three sites in the United States and Europe, with the headquarters located in Austin, Texas. This certification aligns with ISO 27001 standards and is based on the Statement of Applicability (SoA) version 2.0 dated January 10, 2024.
Sample Scope Statement for ISO 27001 (ISMS) for a Remote Organization
The scope of certification encompasses the Information Security Management System (ISMS) governing the organization’s “SecureVault 360” cloud-based software development services. This includes the design, development, deployment, and support processes related to the “SecureVault 360” platform. The organization operates entirely remotely, with no physical office locations. The designated mailing address in New York, NY, United States, is used solely for correspondence purposes. This certification aligns with ISO 27001 standards and is based on the Statement of Applicability (SoA) version 3.0 dated April 1, 2024.
ISO 27701 Privacy Information Management System (PIMS) Scope Statement Samples
In addition to the ISO 27001 scope statement examples, it’s also useful to explore how organizations can define their scope under ISO 27701. As an extension to ISO 27001, ISO 27701 focuses specifically on privacy management for organizations acting as data controllers, processors, or both. Below, you’ll find sample scope statements for ISO 27701 to help you navigate this area effectively.
ISO 27701 (PIMS) Scope Statement Template
The scope of certification encompasses the Privacy Information Management System (PIMS) governing [insert key processes, services, or products covered by the PIMS, e.g., the organization’s data processing and privacy management operations]. This includes [list key activities or departments involved, e.g., the collection, processing, storage, and management of personal data]. The organization [insert operational details, e.g., operates entirely remotely / has operations across multiple sites / includes specific locations] and functions as a [declare whether the organization is a data controller, processor, or both]. This certification aligns with ISO 27701 standards and is based on the Statement of Applicability (SoA) [insert version number and date, if desired—e.g., version 1.1 dated March 25, 2024].
Sample Scope Statement for ISO 27701 (PIMS)
The scope of certification encompasses the Privacy Information Management System (PIMS) governing the organization’s customer data management services for “SecureVault 360,” a cloud-based data security and storage solution. This includes the collection, processing, storage, and deletion of personal data related to the “SecureVault 360” platform. The organization operates as both a data controller and data processor, with operations across three sites in the United States and Europe, including headquarters in Austin, Texas. This certification aligns with ISO 27701 standards and is based on the Statement of Applicability (SoA) version 2.0 dated January 10, 2024.
This template provides a flexible structure that can be customized to fit various organizational contexts and will help in crafting a clear and comprehensive ISO 27001 or ISO 27701 scope statement.
Common Pitfalls to Avoid When Defining Your Scope
When defining your scope, watch out for these pitfalls:
- Overly broad scope: Including too much information can make your ISMS or PIMS hard to manage and audit. Focus on critical areas aligned with your business goals.
- Too narrow scope: Excluding key processes or locations can expose your organization to risks. Cover all essential areas.
- Vague language: Be clear and precise. Avoid vague terms that could create confusion about what your ISMS or PIMS covers.
The Role of Stakeholders
Defining your ISO 27001 or 27701 scope and writing your scope statement shouldn’t be done in isolation. Involve key stakeholders, including senior management, IT teams, legal advisors, and department heads. Collaboration ensures the scope is comprehensive, realistic, and aligned with your organization’s goals.
Defining your audit scope and writing a clear scope statement are key steps toward certification. By understanding your organization’s context, identifying key assets and processes, and involving stakeholders, you can create a scope that aligns with your business objectives and protects valuable information.
This article offers a proven approach to help you get started, but every organization is unique. Be sure to explore additional resources or seek professional advice to tailor your scope statement to your specific needs.
