Define your ISO 27001 audit scope
Overview
ISO 27001 audit scope definition is a vital part of any audit. The scope sets the boundaries of the audit and identifies the object in focus.
The object can include the people, data, system, or product in review. The scope definition allows the auditors to focus on an aspect of the organization. It is important to clearly define the scope of review for your given audit.
Determining your ISO 27001 audit scope requires your organization to specify the product, the data, the systems, vendors, location, department, internal and external parties, etc. in scope.
Defining your ISO 27001 audit scope means setting clear boundaries for what your Information Security Management System (ISMS) will cover so auditors know exactly which products, data, systems, locations, and parties are in focus. It typically includes the specific product or service under review (for example, a SaaS application), the sensitive data it processes, the supporting infrastructure and tools, critical vendors, relevant internal and external stakeholders, and applicable laws and regulations.
A well-written scope statement is concise but precise: it names the in‑scope services, clarifies which environments, offices, and third parties are included, and implicitly excludes what is not essential to delivering that service. Getting this right helps avoid audit surprises, keeps implementation effort proportional to risk, and ensures your ISO 27001 controls are designed and tested where they matter most for customers and regulators.
Read below for guidance on how to determine each scope item. A table listing each item is provided below to use as a template for this exercise.
Product(s) in scope
When conducting an ISO 27001 audit, it is important to identify and define the scope of the audit. This includes determining which products are within the scope of the audit. Products that handle or process sensitive information, such as customer data or intellectual property, should be included in the scope. This may include software applications, databases, and physical products like servers or hardware devices.
It is essential to assess the security controls and measures implemented in these products to ensure compliance with ISO 27001 standards. By including these products in the audit scope, organizations can effectively evaluate their information security practices and identify any vulnerabilities or areas for improvement.
For a Software as a Service (SaaS) provider, the scope is typically the software application(s) offered to clients. Some organizations have multiple products, and it is important to define for your ISO 27001 what products are in focus and what products aren’t.
Data in scope
When conducting an ISO 27001 audit, it is crucial to determine the data that falls within the scope of the assessment. The scope defines the boundaries of the audit and ensures that all relevant data is included in the evaluation. It is important to identify and classify the data based on its sensitivity and criticality to the organization. This includes personal data, financial information, intellectual property, and any other data that may pose a risk if compromised.
By clearly defining the data in scope, the auditor can focus on evaluating the effectiveness of the controls and processes in place to protect this information. Additionally, identifying the data in scope helps to ensure compliance with legal and regulatory requirements.
In order to identify the data in scope, the ideal step is to focus on the type of data and identify the people that flow through the product or service. For a SaaS provider, it’s typically all the data held in it (i.e., customer data, etc.) and the people that support it, such as vendors and employees.
Systems in scope
To identify all your systems in scope, take an inventory of all the various systems and internal controls that are critical to delivering your service or product in scope. This can include email and Slack. The key is to focus on the systems and tools that are essential to delivering your service/product. Production systems have a direct impact on your product or service in lieu of non-production systems.
For HR systems, focus on systems that manage employee onboarding and training processes. Everything else, such as time-off requests and benefits, is out of scope since it is not critical to delivering a service or product.
For a SaaS provider, it’s typically all the infrastructure that hosts it and the procedures that support it, such as AWS, Github, JIRA, etc.
Vendors in scope
When conducting an ISO 27001 audit, it is important to identify the vendors that are in scope for the audit. Vendors can play a crucial role in the security of an organization’s information assets. They may have access to sensitive data or be responsible for handling critical systems or processes. Therefore, including vendors in the scope of the audit ensures that their security controls and practices are assessed and aligned with the ISO 27001 standard. This helps to identify any potential risks or vulnerabilities that could impact the organization’s information security.
By including vendors in the audit scope, organizations can ensure a comprehensive and holistic approach to their information security management system.
In order to identify the vendors in scope, focus on the critical vendors, such as cloud hosting and production-related organizations supporting the product or service in scope.
Internal and external parties in scope
You need to list out all internal stakeholders’ (i.e., employees, Board of Directors) and external parties’ (i.e., customers, regulators, government) needs and interests relevant to your ISMS or information security.
Relevant laws and regulations in scope
You need to list the laws and regulations that are relevant for information security according to your business and describe how you are willing to fulfill those requirements.
Physical Office/Location in scope
There is no mandatory requirement to include an organization’s headquarters in the scope of the ISMS. Physical location can usually be carved out of the scope. However, an office site can be added to the scope depending on its relevance to the ISMS (i.e., whether it hosts a server or serves as a satellite office).
Scoping guidance template
| Scoping guidance |
| Provide a detailed description of your organization’s products or services.
Focus on the product or service under review. |
| Provide the type of data and people that flow through the product or service under review. |
| Please provide a list of systems/tools that flow through or support the product or service under review. |
| Please provide a list of critical vendors being used to support the product or service under review. |
| Please provide a list of internal and external parties with needs relevant to the ISMS. |
| Please provide a list of relevant laws and regulations regulating the product or service under review. |
| Please provide a list of locations serving as operation centers to support the product or service under review. |
In conclusion, the scope definition is a crucial aspect of conducting an ISO 27001 audit. It allows organizations to set the boundaries of the audit and focus on specific aspects, such as products, data, systems, vendors, and internal and external parties. By including the relevant products in the scope, organizations can evaluate their information security practices and identify areas for improvement.
Defining the data in scope ensures that all critical information is assessed and protected. Identifying the systems in scope helps prioritize the evaluation of essential tools and controls. Including vendors in the scope ensures their security controls align with ISO 27001 standards.
Lastly, considering internal and external parties and relevant laws and regulations helps organizations fulfill their information security requirements. By following the provided scoping guidance template, organizations can effectively determine the scope of their ISO 27001 audit.
