The ISO 27001 standard provides requirements for establishing, implementing, maintaining and continually improving your Information Security Management System (ISMS) within the context of your organization. Your ISMS includes the people, processes and technology involved in collecting and managing sensitive information. One of the most important things you must do when initiating an ISO 27001 compliance program is to write the scope statement.
The scope statement is required and must consider the following:
- Context of Your Organization: The internal and external issues that are relevant to the organization and its mission
- Interested Parties: Stakeholders pertinent to the ISMS and requirements of interested parties
- The interfaces and dependencies to outside organizations
Defining the Context of Your Organization
The context of your organization includes all internal and external issues relevant to its mission and the ability of its ISMS to achieve the required outcomes. Knowing organizational context can give you a clear understanding of the most critical issues affecting information security. This enables you to devise an effective strategy and allocate the necessary resources to achieve your intended results.
Examples of internal contextual issues include:
- Organizational structure – roles, responsibilities and hierarchy
- The organization’s mission, values, culture and vision
- Decision-making process, information data flows, policies and processes
- Resources that you already have or may need, including technology, capital and personnel
- Contractual relationships and the expectations and requirements of customers and vendors
- Other frameworks to which you subscribe e.g., SOC 2, CIS Controls, PCI DSS, HITRUST CSF
Examples of external contextual issues include:
- Market trends and the expectations of customers
- Expectations of external stakeholders
- Applicable laws and regulations e.g., GDPR, CCPA, HIPAA, GLBA
- Politics and economic circumstances
- Technology trends and innovation, for example, cloud migration
Interested Parties
Interested parties are all relevant internal and external parties that impose security requirements or play a pertinent role in your information security. External parties could include regulatory agencies, partners, vendors and customers. Internal parties include all departments and personnel that play a role in managing information.
Typical examples of interested parties in your ISMS scope include:
- Employees and their families
- Customers
- Shareholders or owners of the business
- Government agencies
- Vendors and partners
- Anyone else you consider essential to your business
Employees, their families and customers want you to protect their personal information. Shareholders and owners want security of their investments and good returns. Government agencies want you to comply with laws and regulations. Vendors and partners want you to be secure, and you may also have to push requirements to them in order to achieve your compliance certification.
It’s common for organizations to use third-party vendors to deliver services, and some of them might be privy to information within your ISMS’s scope. Your vendor risk management policy should include strict SLAs, security questionnaires, periodic audits, and reviews to ensure your data is kept secure within your vendor’s policies and processes.
Interfaces and Dependencies
This section refers to interfaces and dependencies between activities performed by the organization and those that external organizations perform. Consider services critical to your organization, including email, identity providers, communication tools, data processing and storage facilities.
Internal interfaces for example may include the HR department responsible for control activities such as onboarding personnel, facilitating security awareness training, and enforcing disciplinary actions for information security violations. The sales team interfaces with the ISMS through their customer engagements.
External interfaces and dependencies typically include cloud providers, colocation facilities, ticketing systems and access management vendors. These auxiliary vendors may interface with the ISMS via APIs, hosting responsibilities or tooling solutions deployed in the service provider’s control environment.
Interfaces and dependencies should be documented and periodically evaluated. Each factor introduces nuanced considerations for establishing the ISMS scope and can act as a practical “stress test” for management.
Conclusion
Once you go through the process of defining ISMS scope, you’ll start to appreciate it. You will better understand the environment in which your organization operates and realize which security requirements you need to fulfill. You will also be able to focus much better on your most sensitive information and have a priority for allocating precious resources.
About Truvantis
Truvantis is a cybersecurity, privacy and compliance consulting organization. We specialize in helping our clients by implementing, operating, auditing and testing information security programs that work – balancing budget with organizational risk appetite.
We can help you achieve ISO 27001 compliance from scoping to guiding the audit process. Contact Truvantis today for a consultation.