Ded er oe ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System — Certification Guide CLAUSE 4.3 Introduction In this article we lay bare ISO 27001:2022 Clause 4.3 Determining The Scope OF The Information Security Management System. Using over two decades of experiance on hundreds of ISO 27001 audits and ISO 27001 Certications 1 am going to show you whats new, give you templates, show you examples and do a walkthrough. In this IS 27001 certincation guide | show you exactly what changed in the ISO 27001:2022 update. {lam Stuart Barker the SO 27001 Ninja and this is ISO 27001:2022 Clause 4.3, Table of contents + Inrodvton + Whatis 130 27001:2022 Cause 4.3 Determining the scope of he Information securty management system? What is the requirement of ISO 27001 Clause 4.37 What are the ISO 27001:2022 Changes to Clause 4.32 What does the standard say about ISO 270012022 Clause 4.32 How to define IS0 27001 Scope Example 180 27001 Scope Statoment 180 27001 Clause 4.3 Template How to comply with ISO 27001:2022 Clause 4.3. 180 27001 Clause 4.3 FAQ What is ISO 27001:2022 Clause 4.3 Determining the scope of the information security management system? 150 27001 has alist of requirements that it calls clauses and this one of those clauses that need to met. Ifwe are going to implement ISO 27001 and go for ISO 27004 certification then this is one of the first, and main, clauses that we want fo address. What is the requirement of ISO 27001 Clause 4.3? This clause forms part of ISO 27001 Cause 4 Context of Organisation. We have looked at 180 27001 Clause 4.1 Understanding the Organisation and its context to identify internal issues, external issues in ISO 27001 Clause 42 we looked at interested partios and their needs. In 180 27001 Clause 4.3 we are looking at determining the scope ofthe information security management s What are the ISO 27001:2022 Changes to Clause 4.3? Not a massive change to ISO 27001 Clause 4.3 inthe 2022 update as the only thing it does is remove the word ‘and! from 4.3 b. Groatisntit? What does the standard say about ISO 27001:2022 Clause 4.3? 180 27001:2022 defines clause 4.3 as: The organisation shall determine the boundaries and applicability of the information secunty management system to establish its scope. When determining this scope, the organisation shall consider: 2) the external and intemal issues referred to in 4.1 ») the requirements referred to in 4.2 6) interfaces and dependencies between activities performed by the ‘organisation, and those that are performed by other organisations. 180 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System ‘So we can see the work we have already done in previous clauses is notin vain and has the additional purpose of influencing the scope decisions we make. How to define ISO 27001 Scope ‘Scope is vitally Important. It clearly sets out what we are going to apply our information security management system to and more importantly it defines what wil go on our ISO 27001 certificate. This is a lite tricker to work out but we have provided a detailed, easy to follow guide on How To Define ISO 27001 Scope. It includes an ISO 27001 Scope Statement Template that is part ofthe ISO 27001 templates took Example ISO 27001 Scope Statement you are wondering what a good scope staternent looks like, then this is taken directly from ‘our ISO 27001 certification, by way of example Information security consultancy and virtual chief information secunty officer services in accordance with the statement of epplicabilty version 1.2 High Table ISO 27001 Scope Statement You can $00 in the example we have first laid out the products! services that we offer and that are in scope and we have referenced our Statement of Applicabily and its version, ‘Tho statoment of applicability is the list of controls that we have implemented. A nice simple scope statement. ISO 27001 Clause 4.3 Template ‘The 1$0 27001 Documented Scope Template is a great document to help to define and. document scope. A quick and effective way to satisfy the requirements of this clause of the standard, Part of the ISO 27001 Templates Toolkit but also available to download individually, Time needed: 1 day. How to comply with ISO 27001 Clause 4.3 Determining the scope of the information security management system 4, List your products and services List aut all of your products and services as your customer would know them 2. Ask your customer and clients which products and services they would expect to be ISO 27001 certified ‘Speaking with your clients they will tell you what their expectations are. You can ‘examine existing contracts and look at existing questionnaires that you have been ‘sent, All of these will lead you to an understanding of what should be in scope. Ifthe: “answer is everything then you can look to prioritise thelist based on what is most commercially beneficial to you and start there, Its ok to start small and increase the ‘scope over time as you become comfortable withthe process and the requirements 3. Document your ISO 27001 Scope Formally document your ISO 27001 scope. You will want to record your ISO 27001, Scope Statement which isthe statement that will go on your final ISO 27004 Certicate. It is also good practice to think about the people, processes, technology ‘and locations that are needed to suppor the in scope products and services and Which wil therefore naturally fallin scope of the ISO 27001 certification. Explicitly stating what is out of scope can be good practice and hel with your internal ‘management. 4, Review and Approve the ISO 27001 scope Al the next management review meeting be sure to share and review the |S 27001 scope. Getting agreement on the scope and formally documenting the agreement in the meeting minutes. ISO 27001 Clause 4.3 FAQ. ‘Should the entire organisation be in scope for ISO 27004 certification? No. The burden and overhead of ISO 27001 is high and documentation heavy. Including the whole organisation iit is not needed wil put undue pressure on resources such as staff time and your company money. You should narrow the scope of the ISO 27001 to the products and or services that are relevant to your customers and cients. You can even narrow the scope to a subset of thal and prioritise for year 1 with a view to extending scope ‘once you are comfortable with the process and what is involved. Do not over complicate it How do I define ISO 27001 certification scope? ‘The simple answer is that scope is defined exacly by what your customers and clients aro asking you to do be in scope. This isthe products and services that you provide that they expect to have an ISO 27001 certification, No more. No less. Focus your scope on what You are being asked for commercially and will bring you the mast commercial benefits. ‘What is the impact iI get ISO 27001 scope wrong? Getting the 180 27001 scope wrong can lead to you nat meeting the requirements of your willbe a wasted journey. In ‘addition if you increase the scope bayond what is raquired you introduce a lot of effort and customers and clients Ithis happens the entire exerc bureaucracy your arganisation could othonvise have avoided. This can lead to lost time and lost profis. Bo sure you spend tne on this part ofthe process to get it igh. fin doubt, ask Your clients what they expect of you. They wil tell ou. This is your focus. This is your scope, 180 27001 Scope Statement example? ‘The folowing is a good example of an ISO 27001 scope statement Information securty consultancy and virtual chief information security officer services in accordance with the statement of applicability version 1.2 This is taken directly from the High Table ISO 27001 Scope Statement 180 27001 Scope template? You can download the ISO 27001 scope statement template here: https:/hightable.iofproductiso-27001-scope-document-tomplatoy ISO 27001:2022 Certification Requirements What's new, ISO 27001 templates, examples and walkthrough for each ISO 27001:2022 ‘Annex A Clause, 12009 Cian 41 Understanding The Organieation And ke Content 2022 Clause 42 Understanding The Needs And Expectations Of intrested Parti 2022 Clouse 43 Determining The Scope OF The Information Secuty Management System 2022 Ciuse 44 information Securty Management System (SMS) 2022 Csuse 5-1 Leadership And Commitment 180 27001-2009 Cause §2 information Security Policy So 27001-2022 Cause 55 Organisational Roles, Responsibilities And Autores |S0 27001 2022 Cus 6 Planning 180 27001 2022 Clouse 611 Planning General SO 27001-2022 Clause 612 Information Securty Rik Assessment SO 27001 2099 Clouse 613 Information Securty Risk Trestment 150 27001 2022 Clause 62 information Security Objectives And Planning To Achieve Them 150 27001 2022 Couse 71 Resources 150 27001 2022 Cause 72 Competence SO 27001-2029 Couse 73 Awareness 180 27001 2022 Clsuse 7 4 Communication 180 27001-2022 Clause 75 2 Creating And Updating Documented Information 80 27001 2009 Clause 753 Control Of Documented Information 04-2022 Cause 751 Documented Information SO 27001-2022 Cause 81 Operational Planing And Control SO 27001-2099 Clause 82 normation Secunty Rsk Assessment 180 27001 2022 Clouse 8S Information Security Risk Testment 001 2022 Clause 91 Monitoring, Measurement, Analysis, Evaluation SO 27001 2022 Cause 92 Inaenst Aue |'S0 27001-2022 Clause 9: Management Reviews. 2022 Clause 102 Non Conformity and Corrective Action Read Next + 180 27001 Corification up to 10x Faster and 30x Cheaper + The Ulimate ISO 27001 Toolkit + 180.27001 Explained Simply + 180 27001 Coritication: The Ultimate Guide to Success + 180.27001 Reference Guide + 1027001 Annex A Reference Guide FREE 30 Claim your minute 100% ISO. FREEno 27001 sation strategy?" Gb session, °° call (©1000 value). Thisis sticly for cd ‘small Cond businesses, » who are hungry to get 80 27001 certified up to 10 fastor and 30x ‘cheaper, Related Posts 190 27001 Clause 101 15027001 Clouse 10.2 Continual improvement -— Nonconformity Ani Certification Guide Corrective Acton — Certification Guide 15027001 Clause 93 15027001 Clouse 2.2 ManagementReview- Infernal Audit — Centifiéation Guide Cenifcation Guide 0 ota. + How to implement eo PsP iy ene Det