What is ISMS scope in ISO 27001?
ISMS scope defines the breadth of your ISO 27001 certification, in other words what your information security certification covers. You define the scope of ISMS using:
- information, information assets
- products
- services
- processes
- systems, software and applications
- organizational units, branches
- geographically, specific locations
An examples of ISMS scope
ISMS Scope Example #1: A software company that develops a healthcare application
- A software company that develops a SaaS platform for the management and maintenance of healthcare facilities
- ISMS encompasses the entire company because its core business is software development
- So the scope is defined as follows:
- Organization and locations: The scope of the ISMS is essentially maximal, i.e. it covers the vast majority of the company's processes, all its branches and locations.
- Processes: Key processes are design, development, maintenance, testing, technical support, sales and marketing
ISMS scope example number 2: Hospital
- The hospital chose to include only its Hospital Information System because it contains the most sensitive information
- So the scope is defined as follows:
- Organization and location: only NIS operations department, IT management offices
- Systems: The hospital's information system, its database
- Physical locations: Server room, backbone network
Here is how Appien helps you manage a define ISMS scope
- As a tool for managing compliance with ISO 27001 and information security, it will help guide individual parts of the scope
- Information Assets organizer helps define the scope of the ISMS in terms of assets such as information, products or IT technology
- The process catalog serves as an overview of company processes
- You attach an employee organization chart to define the scope of the ISMS in terms of people and organizational structure
- You can use the buildings or branches organizers to define the scope in terms of locations