CHAPTER 11: CONTEXT, POLICY AND SCOPE

The first planning step is the scoping exercise.

The scoping requirement is contained in Clause 4.3) of ISO27001. The requirement is that the organisation will ‘determine the boundaries and applicability of the information security management system to establish its scope [taking into consideration] external and internal issues, the requirements [of interested parties, and] interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations’.

This is built upon the understanding of the organisation and its context, as well as the expectations of interested parties. Clause 4.1 states that the organisation ‘shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system’. Clause 4.2 requires the organisation to identify interested parties and their requirements with relation to the ISMS. This ‘may include legal and regulatory requirements and contractual obligations’.

The scoping exercise

A scoping exercise should determine what is within, and what is outside, the ISMS. The ISMS will, in effect, erect a barrier between everything that is inside its perimeter and everything that is outside it. The development of the ISMS will require every point at which there is contact between the outside and the inside to be treated as a potential risk point, requiring specific and appropriate treatment.

Assets, like processes, cannot be half-in and half-out of the ISMS; they are either wholly in or wholly out.

Legal and regulatory framework

The legal and regulatory framework (4.2) also creates a specific perspective on the scoping of the ISMS. Clearly, information and information management processes that are all within the scope of any one single regulation, or other legal requirement, must all be within the scope of the ISMS.

Policy definition

The second major planning step required by ISO27001 is policy definition.

Clause 5.2 requires the organisation to define an information security policy. This requirement is also contained in the first control in Annex A, control number 5.1.1. This is the first of many clauses in ISO27001 that are supported by the guidance and best practice of ISO27002. Clause 5.1.1 of ISO27002 expands on the similarly numbered Annex A requirement and matches the specification contained in Clause 5.2 of ISO27001. The control objective served by the issue of a policy document is that it provides ‘management direction and support for information security in accordance with business requirements and relevant laws and regulation.’¹

Policy and business objectives

Clause 5.1.1 goes on to state that the policy document should set out ‘the organisation’s approach to managing its information security objectives’. The Standard’s perspective is that a successful and useful ISMS will be one that does not undermine or block business activity. The significant risk in implementing systems that block business activity, that are not in line with business objectives, is that people inside the business will ignore or bypass the ISMS controls.

The information security policy must be signed off by senior management and made available as appropriate to anyone who needs it.

¹ ISO/IEC 27002:2013, 5.1.