ISO 27001:2022 Requirements: Clause 4.3 Determining the Scope of the ISMS

“The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.

When determining this scope, the organisation shall consider:

• The external and internal issues referred to in clause 4.1;
• The requirements referred to in clause 4.2;
• Interfaces and dependency between activities performed by the organisation, and those that are performed by the other organisation.

The scope shall be available as documented information.”

The Scope Of The Information Security Management System

Setting up a scope is the most crucial part of the ISMS, as it is a mandatory document that should be available as recorded information, along with a Statement of Applicability. The main purpose of defining the scope is to understand which information the organisation intends to protect. It will tell your stakeholders (employees, management, directors, partners, customers, suppliers, and more), as defined by clause 4.2, what parts of the business are covered by your ISMS.

According to the standard, an organisation must consider these factors while setting up the scope of its ISMS:

• Internal and external issues, which are defined within the context of the organisation (clause 4.1);

• The requirements of the interested parties (clause 4.2);
• Interfaces: Interfaces are like the boundary wall of your ISMS scope; they define what processes and elements are within the scope of ISMS or out of it. It’s also important to understand the inputs and outputs using these interfaces;
• Dependencies: Dependencies are the processes or elements which are outside the scope of your ISMS. For example, if the organisation is outsourcing legal services from a law firm.

Defining your internal and external issues in the previous two clauses is an intrinsic part of this process, and defining the scope of your ISMS will naturally rely upon you having an understanding of both of these considerations.

Once you have defined the internal and external issues, as well as identified the interested parties and their respective requirements, you should have a strong starting point for deciding what the scope of your ISMS should cover, as well as what is out of the scope of your ISMS, which you should also mention.

In summary, you are required to protect the intended information no matter where, how and by whom this information is accessed.