How to Determine the Scope of Your ISMS

November 21, 2022 |

by: Larry Kinkaid

Defining the scope of your information security management system (ISMS) is a crucial step in your security and compliance journey. The scoping statement is a core element to ISO 27001 and to any ISMS. In fact, it is included in an organization’s ISO 27001 certificate to provide to interested parties. 

What is the Scope of an ISMS?

The scope of your ISMS defines everything inside your security program—all of the information and processes that are protected. The scope needs to be clearly defined for your customers and stakeholders so they understand what parts of your business are covered by your ISMS. 

For smaller organizations, their entire technology portfolio should typically be included in the scope of the ISMS. For larger organizations, defining ISMS scope may require a more strategic approach—it may not make sense to include the entire organization. For example, if the business units or sub-entities of a larger organization are very independent, the organization may choose to not include them in the scope. 

In addition to clearly defining the different components of your program, the scope should summarize the purpose of implementing an ISMS. Think of it as a basis of a security charter, which will outline every person within the organization that has infosec responsibilities.

The Purpose of Defining Scope

The purpose of having a scope is to ensure that all interested parties understand the purpose of the ISMS as it relates to the organization. Additionally, organizations want to ensure that customers and other stakeholders are able to discern that it adequately covers the nature of their relationship to the organization. 

Simply put, having a clearly defined scope that makes logical sense to your customers is a good business practice. It demonstrates that your organization is thoughtful about security, and can lead to more business opportunities. 

How to Determine the Scope of Your ISMS

Your customers and stakeholders will help you define your scope based on their expectations and needs. Organizations should draft the scoping statement with interested parties in mind—namely customers, but also any vendors that they work with or anyone that could be implicated if a security program is not effective. 

The scope should include, at the very least, your product and customer data. Security is a journey, and your ISMS can grow and change to be more strategic over time. Organizations may also want to include their internal business risks (such as employee data) as part of the program, which should also be included in the scope. The following questions may be helpful to ask when determining the scope of an ISMS: 

  • What are our customer commitments? 
  • Are there any nuances to be considered (such as applicable risks and considerations of what is material to interested parties)? 
  • Does it make strategic sense to split up our security into multiple programs based on our business units and/or products?
  • Are we going to include internal business risks?

Typically, executive leadership is responsible for defining the scope of an ISMS. It should be owned by an information security committee that is sponsored by the chief information security officer (CISO). If your organization does not have a CISO, it may be helpful to hire a virtual CISO (vCISO) to assist with your information security program. 

While having a clearly defined scope is a requirement for certifications such as ISO, it can also help to give direction for additional certifications or evaluations since it can be difficult to start from a blank page. 

Interested in learning more about how to define the scope of an ISMS? Contact us today.

About the Author

Larry Kinkaid, Senior Consultant, CISO Advisory

As a Senior Consultant at BARR Advisory, Larry supports the company’s growing CISO Advisory service offerings, specifically for small-to-medium sized companies in need of a virtual CISO (or CISO on retainer). He plans and executes various engagements including readiness assessments, policy and procedure documentation, vendor risk management assessments, and external audit assistance.

He is an experienced consulting professional with a history of working in IT governance, risk, and compliance for large companies. He maintains the CISA and CRISC certifications to fortify his reputation as an IT professional in audit and risk. Larry graduated from Bowling Green State University with a Bachelor of Science in Business Administration, Information Systems Auditing and Control, and Management Information Systems.

Let's Talk