ISO 27001 – Establishing Scope and Statement of Applicability

Guide to ISO 27001_part 2_establishing scope and SoA_blog header

We began our guide to ISO 27001 highlighting the advantages of adopting an ISO 27001 compliant information security management system (ISMS), how security professionals can evaluate the qualitative and qualitative aspects of compliance, and the pivotal role of leadership.

In part 2 of our Guide, we delve into the most important elements with regard to planning and implementing an ISO-compliant system: establishing the scope of your ISMS and creating your Statement of Applicability (SoA). Specifically, we focus on aligning the scope of your ISMS to your organization’s strategic objectives, and how the SoA is an important operational document and why it provides comprehensive coverage of controls, risks, and documentation.

Scope: the Heart of Your ISO Program

Having a well-formulated plan can make or break a project and implementing an ISO 27001 compliant ISMS is no different. Establishing the Scope of your ISMS is undoubtedly the most important step when implementing an ISO 27001 certified system. Your ISMS scope must be aligned with your organization’s strategic objectives, clients’ expectations, and available resources to successfully support your security initiative.

Scopes with excess breadth:
  • Can be overly expensive and time-consuming
  • Create unnecessary bureaucracy due to numerous processes and policies
  • Are hard to control (especially if your ISMS team is small)
  • Do not keep up with the pace of the changes (features, technologies, etc.)
Narrow scopes:
  • Will be unable to protect your data
  • Cannot satisfy the requirements of your clients
  • Hinder your ability to implement consistent processes and monitoring activities
Ideally, when scoping your ISMS, you must:
  • Establish the boundaries of your Security Policy
  • Include the teams and activities that directly manage and support your clients’ data
  • Exclude physical locations and departments that do not represent or minimally create risks to confidential information
  • Consider the time and budget available for your ISO implementation and maintenance

When designing your ISMS, you must always consider the strategic decision behind involving top management and different internal stakeholders when adopting policies and mitigating processes. Additional security controls will be needed for larger scopes, and that can evolve systematically, and grow in maturity throughout the years.

Statement of Applicability

Once you have defined your scope, you should be able to move forward with the primary evaluation of the Statement of Applicability(SoA). The SoA is a mandatory report that must be produced as evidence of the implemented ISMS. It represents the landscape of your ISO 27001 compliant system, as it outlines the Annex A areas that are included in the scope of your organization, as follows:

  • A.5. Information security policies
  • A.6. Organization of information security
  • A.7. Human resource security
  • A.8. Asset management
  • A.9. Access control
  • A.10. Cryptography
  • A.11. Physical and environmental security
  • A.12. Operations security
  • A.13. Communications security
  • A.14. System acquisition, development, and maintenance
  • A.15. Supplier relationships
  • A.16. Information security incident management
  • A.17. Information security aspects of business continuity management
  • A.18. Compliance

Organizations must justify, based on the defined scope, why certain controls can be excluded from their ISMS. Documenting your justification is essential in case of a security breach. If you are being investigated for a data breach, the SoA is legally accepted as evidence of compliance protecting you from regulatory consequences.

Planning Your ISMS

Setting the scope of your Information Security Management System is the most important step when planning an ISO 27001 project implementation. Determining the boundaries, objectives, and necessary resources will greatly contribute to the success of your ISMS and streamline the implementation. The Scope Statement is a milestone that defines which activities, departments, stakeholders, and processes will be part of your ISO audits and your certification as an outcome of the assessment process.

Keeping your business’s strategic objectives and clients’ expectations in mind is critical to define the parameters of your scope and, consequently, your Statement of Applicability which can be used as a legally binding report.

Next in our Guide to ISO 27001, we discuss how to develop your ISMS in accordance with ISO 27001’s mandatory clauses, identifying requirements, how to satisfy them, and documents that need to be created as part of the development process.

How Can StandardFusion Help?

With StandardFusion, you can create and control your documentation, including policies, controls and reports. Using our reporting feature, users can create an ISO 27001 compliant Statement of Applicability while controlling exclusions, justifications, and criteria. Develop your documentation and policies from the ground up, update them as needed and keep track of historical documentation and versions within the software. See how you can take advantage of an automated, single source of truth to manage your policies, procedures, and notices within your privacy program. Schedule a demo with our team today!

Part 1 – Implementation & Leadership Support

Part 2 – Scope and Creating the Statement of Applicability

Part 3 – Mandatory Clauses

Part 4 – Needs and Expectations of Stakeholders

Part 5 – Risk Management

Part 6 – Defining Controls

Part 7 – Competence, Training and Awareness

Part 8 – Monitoring Efficacy