Define your ISO 27001 Audit Scope

Overview

ISO 27001 audit scope definition is a vital part of any audit. The scope sets the boundaries of the audit and identifies the object in focus.

The object can include the people, data, system, or product in review. The scope definition allows the auditors to focus on an aspect of the organization. It is important to clearly define the scope of review for your given audit.

Determining your ISO 27001 audit scope requires your organization to specify the product, the data, the systems, vendors, location, department, internal and external parties, etc. in scope.

Read below for guidance on how to determine each scope item. A table listing each item is provided below to use as a template for this exercise.

Product(s) in scope

For a Software as a Service (SaaS) provider, the scope is typically the software application(s) offered to clients. Some organizations have multiple products, and it is important to define for your ISO 27001 what products are in focus and what products aren’t.

Data in scope

In order to identify the data in scope, the ideal step is to focus on the type of data and identify the people that flow through the product or service. For a SaaS provider, it’s typically all the data held in it (i.e., customer data, etc.) and the people that support it, such as vendors and employees.

Systems in scope

To identify all your systems in scope, take an inventory of all the various systems and internal controls that are critical to delivering your service or product in scope. This can include email and Slack. The key is to focus on the systems and tools that are essential to delivering your service / product. Production systems have a direct impact on your product or service in lieu of non-production systems.

For HR systems, focus on systems that manage employee onboarding and training processes. Everything else, such as time off requests and benefits, is out of scope since it is not critical to delivering a service or product.

For a SaaS provider, it’s typically all the infrastructure that hosts it and the procedures that support it, such as AWS, Github, JIRA, etc.

Vendors in scope

In order to identify the vendors in scope, focus on the critical vendors, such as cloud hosting and production related organizations supporting the product or service in scope.

Internal and External Parties in scope

You need to list out all internal stakeholders (i.e., employees, Board of Directors) and external parties (i.e., customers, regulators, government) needs and interests relevant to your ISMS or information security.

Relevant laws and regulations in scope

You need to list the laws and regulations that are relevant for information security according to your business and describe how you are willing to fulfill those requirements.

Physical Office / location in scope

There is no mandatory requirement to include an organization’s headquarters in the scope of the ISMS. Physical location can usually be carve-out of the scope. However, an office site can be added to the scope depending on its relevance to the ISMS (i.e., whether it hosts a server or serves as a satellite office).

Scoping guidance template

Scoping guidance

Provide a detailed description of your organization’s products or services. Focus on the product or service under review.

Provide the type of data and people that flow through the product or service under review.

Please provide a list of systems/tools that flow through or support the product or service under review.

Please provide a list of critical vendors being used to support the product or service under review.

Please provide a list of internal and external parties with needs relevant to the ISMS.

Please provide a list of relevant laws and regulations regulating the product or service under review.

Please provide a list of locations serving as operation centers to support the product or service under review.