Defining Your ISMS Scope

Understanding Your Context (Clause 4.1)

Before defining scope, you need to understand your organisation's context. This means identifying:

• External issues — regulatory environment (Privacy Act, NDB scheme, APRA if applicable), industry standards, competitive landscape, supply chain dependencies, and threat landscape.
• Internal issues — organisational structure, culture, existing policies, IT infrastructure, staff capabilities, and business objectives.

Document these in a context analysis. They inform not just your scope but also your risk assessment and control selection.

Identifying Interested Parties (Clause 4.2)

Interested parties are individuals or organisations that can affect, be affected by, or perceive themselves to be affected by your information security decisions. Common interested parties include:

• Customers — they expect their data to be protected and may require ISO 27001 certification as a condition of doing business.
• Regulators — the OAIC (Office of the Australian Information Commissioner), APRA, ACSC, and state-based regulators.
• Employees — they need to understand their security responsibilities and have their personal information protected.
• Partners and suppliers — third parties with access to your systems or data.
• Board and shareholders — governance obligations and risk appetite.

Common Scoping Approaches

There is no one-size-fits-all scope. The right approach depends on your organisation's size, complexity, and objectives:

• Whole-of-organisation — covers everything. Simplest to explain but most effort to implement. Best for smaller organisations where carving out a subset would be artificial.
• Specific business unit — covers a division, department, or team. Useful when only part of the business handles sensitive data or faces certification requirements.
• Specific product or service — covers the people, processes, and technology supporting a particular offering. Common for SaaS companies seeking to certify their platform.
• Specific locations — covers particular offices, data centres, or regions. Relevant when data residency or physical security are primary drivers.

Australian Considerations

When defining scope for an Australian organisation, keep the following in mind:

• Privacy Act 1988 — if you handle personal information of Australian individuals, your obligations under the Australian Privacy Principles (APPs) should be reflected in your ISMS scope.
• Data residency — APP 8 restricts cross-border disclosure of personal information. If your scope includes systems that process personal data, ensure those systems reside in Australia or have appropriate safeguards.
• Essential Eight — the ACSC's Essential Eight mitigation strategies apply to all systems within scope. Consider whether your scope aligns with the systems you are maturing under Essential Eight.
• IRAP — if you service government clients, your scope may need to align with IRAP assessment boundaries.

Documenting Your Scope in Standardise

Standardise provides an ISMS Scope Statement document template in the Documents module. Use this template to formally document your scope, including:

1. The organisational units, locations, and processes covered.
2. The information assets and technologies within the boundary.
3. Any exclusions and the justification for each exclusion.
4. Interfaces and dependencies with out-of-scope areas.

Your scope statement should be reviewed and approved by top management. As your organisation evolves, revisit the scope during management reviews to ensure it remains accurate.