top of page

How to Define the Scope of Your ISMS Using My Template

Writer: Alan ParkerAlan Parker

One of the first things you need to do when implementing an Information Security Management System (ISMS) in accordance with ISO 27001 (or any approach you choose), is to define its scope; what information systems, assets, people, business functions, etc you are going to cover with your security policies, procedures, etc - and, which ones you are not going to cover.


Without it, you are trying to plan a hiking trip to somewhere you've never been without a map - it will not go smoothly...


It is not as simple as just looking at a list of laptops and desktops in an online inventory system.


In this article, I'll cover:


  • What the ISMS scope is and what it should consider

  • Why ISO 27001 requires scope identification

  • The benefits of a clearly defined scope

  • How to use the ISMS Scope Assessment Workbook to define your scope effectively


First thing, here's the scope workbook template I use for you to download;



Scope assessment workbook page with sections on internal/external influences, stakeholder requirements, and text on ISMS scope and challenges.
Screenshot of Scope Assessment Workbook

What is the Scope of an ISMS?

The scope of an ISMS defines which parts of your organisation, assets, processes, and locations the system covers.


ISO 27001 specifically requires organisations to determine and document the boundaries and applicability of the ISMS, ensuring that security controls are relevant to business operations. It'll be one of the first things an auditor wants to examine.


When defining your ISMS scope, you should consider various aspects such as;


  • Business objectives and strategy – Ensure alignment with your organisation's goals.

  • Legal and regulatory requirements – Compliance obligations such as GDPR, PCI DSS, or industry-specific security laws.

  • Stakeholders and interested parties – Customers, employees, suppliers, and regulators with security expectations.

  • Information assets – Critical data, systems, and intellectual property that need protection.

  • Locations and infrastructure – Whether the ISMS covers specific offices, cloud environments, or entire global operations.

  • Interfaces and dependencies – External services, vendors, or supply chains that interact with your ISMS.


All of these things shape your ISMS and your approach to security. For example, is the EU or UK GDPR in or out of consideration for the assets you're protecting?


Indeed, what assets are you protecting? It's not just "laptops and desktops"; data assets may move or be stored anywhere.


And then, who are you protecting these assets for? Not just for the sake of it. You are entrusted to process data on behalf of customers, employees, and others, so you need to work out who and what their expectations are.


Why ISO 27001 Requires Scope Identification


ISO 27001 (2022) mandates that organisations define and document their ISMS scope (Clause 4.3). Even if you aren't following 27001 as guidance, it is still prudent to undertake this task.


The key reasons for this include:


  1. Clarity on Security Boundaries – Organisations must know which assets and processes are within the ISMS and which are not.

  2. Efficient Risk Management – By defining the scope early, you can identify and mitigate risks effectively.

  3. Regulatory Compliance – Certain security regulations apply only to specific data or locations, so the scope ensures compliance where needed.

  4. Resource Optimization – Avoid unnecessary security controls by focusing on critical areas.

  5. Simplifies Certification Audits – Clearly defining the scope helps auditors understand what is included in your ISMS.


The Benefits of Defining Your ISMS Scope Properly


A well-defined scope leads to:


Focused Security Efforts – Ensure security controls are applied where they matter most.

Better Stakeholder Communication – Helps employees, suppliers, and auditors understand security responsibilities.

Cost Efficiency – Reduces wasted resources on unnecessary security measures.

Improved Compliance – Ensures the ISMS meets relevant legal and contractual requirements.

Stronger Business Continuity – Reduces risks related to cyber threats, supply chain issues, and operational disruptions.

An Easier Path to Certification—If you are pursuing 27001 certification, you'll want to consider what's in and out of the scope to make life as easy on yourself as possible.


How to Use the ISMS Scope Assessment Workbook

The ISMS Scope Assessment Workbook is a practical tool for helping organisations collaboratively define their ISMS scope. It is especially useful in workshops involving key IT, compliance, legal, and business unit stakeholders.


Step-by-Step Guide to Using the Workbook


1. Identify Internal & External Influences

The workbook provides a structured way to assess:


  • Internal factors (e.g., IT maturity, security gaps, regulatory compliance needs)

  • External factors (e.g., evolving cyber threats, customer expectations, emerging regulations)


To get a complete picture, involve senior management, IT, and compliance teams.


2. Define Key Stakeholders & Their Requirements

Stakeholders such as regulators, customers, employees, suppliers, and shareholders have different security expectations.


The workbook provides a table to document each stakeholder’s needs.


Prioritise stakeholders based on business impact and security risk.


3. Identify Critical Information Assets

Determine which data, systems, hardware, and knowledge must be protected and their associated legal obligations【7】.


Use real-world scenarios (e.g., “What happens if this system is breached?”) to highlight risks.


4. Define Scope Boundaries

Choose whether to scope the ISMS around:

  • Specific business units (e.g., IT only)

  • Critical processes (e.g., incident management, finance, HR)

  • Physical locations (e.g., global headquarters only)

  • Cloud environments (e.g., AWS-hosted infrastructure)【7】


Keep the scope manageable—start small and expand as needed.


5. Clearly Define What is Out of Scope

Excluding non-relevant areas helps avoid unnecessary audits and security controls. Examples of out-of-scope elements include:

  • Legacy systems pending decommissioning.

  • Non-critical business units

  • Third-party systems not under operational control【7】


Ensure exclusions are justifiable—they should not create security gaps.


Conclusion: A Strong Scope is the Foundation of a Strong ISMS

Defining the right scope for your ISMS is not just a compliance requirement—it’s a strategic decision that enhances security, efficiency, and business continuity.


Using tools like my ISMS Scope Assessment Workbook, organisations can collaboratively define their scope in a structured and effective manner.




Comments

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page