How To Define ISMS (information Security Management System) Scope

Except organization boundaries, any business application needs to be selected for ISMS implementation or certification scope?
my company's major business is software development service for customer, and no obvious or critical application existed.
Maurice - the scope of an ISMS is basically the type of information you seek to hold secure. If often comes from also defining the applicability of the ISMS controls. Have you done this? The 2 go hand-in-hand.
Thanks for reply.
So maybe the data or documents provided by customers for developing and testing application can be included? and the system to control those and source code is applicable too? like version or document control system
Thanks for reply.
So maybe the data or documents provided by customers for developing and testing application can be included? and the system to control those and source code is applicable too? like version or document control system
Those would be part of it.
ISMS scope is probably one of the hottest topics since the 2013 revision of ISO 27001 was published, because it introduces some new concepts like interfaces and dependencies. ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks.


Captain Nice
Staff member
Doing a bit of reading, I understand:

Define/Identify internal and external issues defined in clauses 4.1 and 4.2​
Define/Identify internal and external dependencies​
A description of the company location(s)​

BSI's short take

General: ISO/IEC 27001 - Wikipedia

The official title of the standard is "Information technology — Security techniques — Information security management systems — Requirements"

ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action Annex A: List of controls and their objectives

This structure mirrors other management standards such as ISO 22301 (business continuity management) and this helps organizations comply with multiple management systems standards if they wish. Annexes B and C of 27001:2005 have been removed.
In addition:
Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. A very important change in ISO/IEC 27001:2013 is that there is now no requirement to use the Annex A controls to manage the information security risks. The previous version insisted ("shall") that controls identified in the risk assessment to manage the risks must have been selected from Annex A. Thus almost every risk assessment ever completed under the old version of ISO/IEC 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls. This is the main reason for this change in the new version.

There are now 114 controls in 14 clauses and 35 control categories; the 2005 standard had 133 controls in 11 groups.

A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security - 6 controls that are applied before, during, or after employment A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Information security aspects of business continuity management (4 controls) A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
The new and updated controls reflect changes to technology affecting many organizations—for instance, cloud computingbut as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.
Attached: Example scope document


Last edited:

Top Bottom