Information Security Management System Scope

Defining and documenting the scope of an organization’s Information Security Management System (ISMS) is a mandatory requirement under ISO 27001.  It is crucial for senior management to determine and define which information will be protected.  For small to medium sized organizations, it may make sense to include the entire organization in the scope of the ISMS. Although some registrars prefer the entire organization is included in the scope, it is not required. However, any area or department excluded must be justified.  If an organization is limiting the scope to certain areas or departments, it should not be overly complicated. Interested parties as well as employees need to understand clearly what is and what is not covered within the scope of the ISMS. 

The scope should describe what information, processes, services, and functions an organization plans to protect, where they are physically located, and who has access to it.

The Statement of Applicability supports the scope, and auditors often prefer to review both at the same time.