ISMS Mandatory Documentation – 1. ISMS Scope

Implementing an Information Security Management System can be daunting, particularly if you’re navigating the wordy junctions of ISO 27001 for the first time.

We’ve put together what we think are the mandatory documents required to meet the main substance of the ISO 27001 standard.

As with most ISO standards, you need to first identify the scope of the management system you’re putting in place.

The idea of your ISMS Scope is the establish and detail the boundaries of the ISMS within the context of your organisation. You might need to define that your ISMS only encompasses certain business scenarios or areas of the business (e.g. specific departments or locations), or covers the full business but has exclusions.  You also need to consider the information risks and security requirements within these boundaries, and any additional obligations imposed by third parties, laws, regulations, contracts, company policies and strategies.

Whenever information crosses into the ISMS scope boundaries, then information security measures should be taken into account and implemented – with documentation, records and evidence.

One method of implementing your ISMS Scope is by incorporating it into an existing high-level company policy, statement or strategy that has been written or endorsed (and authorised) by senior management in the company.  The scope and purpose of the ISMS could alternatively be contained within an independent document or policy, but the former is a common approach and can also be used a tool to raise awareness.

You can use this document download to help you get started and ensure you’ve considered all the main requirements for your ISMS Scope, regardless of where you’d prefer to include it.