Scope ASSESSMENT

Introduction to the ISMS Scope Assessment Workbook

This workbook is designed to assist in defining the scope of an Information Security Management System (ISMS) in alignment with ISO 27001:2022
requirements.

Each section of the workbook reflects core ISO 27001 principles, including the integration of legal, regulatory, and contractual obligations and
considerations for interfaces and dependencies.

Influences
What are the key internal and external factors shaping the organisation's environment?

Internal Influences External Influences

Legacy IT systems are going end of life in terms of support. GDPR compliance has not been formally addressed

Security maturity gaps as found by independent audit. The cyber threat landscape, particularly ransomware, is growing.

Competitive pressure – other orgs are investing heavily in Info Sec

Outdated and inconsistently applied security tools
credentials

Lack of staff training on cyber security Emerging regulatory changes

 Customer security expectations and the ability to bid for some
Resource constraints
contracts

Supply chain vulnerabilities; suppliers are not being assessed for

A complex organisational structure with multiple global offices
resilience or alternatives, and we have a heavy dependency on them

Limited budget for IT

Stakeholders
Consider who the people behind the influences are. Who is interested in your ISMS, and what are their requirements?

Stakeholder Requirements

Regulators GDPR Compliance

Information confidentiality and how we handle their data is important. Reputational damage could
Customers
be high, and contracts could be cancelled if data is breached.

Employees Awareness training on security & interest in how their employment data is handled.

Suppliers Key suppliers request sufficient security controls around our API access and shared systems.
 Defined incident response process & Outsourced data processing needs to be clearly defined and
IT Service Providers
addressed for compliance purposes.

Senior Leadership Alignment with business strategy

Shareholders Assurance of risk mitigation

Critical information assets

What information assets (data, systems, processes and knowledge) must be protected and what regulatory or contractual obligations exist?

Data
Asset Type Description Regulatory / Legal Obligations Criticality

GDPR-protected information
Customer employee data
Customer data Payment Card Industry Data Security Standard High
Payment data
(PCI DSS)

Employee data, including health, salary, and PII

Employee data GDPR High
data.

Intellectual Property Development code & proprietary algorithms n/a High

Systems
Asset Type Description Regulatory / Legal Obligations Criticality

Customer Relationship Centralized system (e.g., Salesforce) for GDPR/CCPA: Must safeguard customer PII High: Critical
Management (CRM) managing customer interactions and data. stored within the system. for customer-
facing
operations.

Enterprise Resource Integrated system (e.g., SAP, Oracle) managing SOX compliance for financial data integrity; Critical:
Planning (ERP) core business processes like finance and HR. GDPR for employee data. Central to
organizational
operations.

Learning Management Platform for employee training and compliance ISO 27001 requires documented employee Medium:
System (LMS) certifications (e.g., Workday Learning). training records for security awareness. Essential for
workforce
compliance.
 Incident Response System (e.g., ServiceNow) used for tracking ISO 27001 mandates incident management High: Supports
System and managing IT incidents and resolutions. documentation and tracking capabilities. business
continuity.

Document Management Centralized repository (e.g., SharePoint) for ISO 9001 and GDPR compliance for document High: Key to
System (DMS) storing and accessing organizational control and access permissions. operational
documents. efficiency.

Human Resources System (e.g., BambooHR) for managing GDPR/CCPA: Ensure secure storage and Critical:
Management System employee records and payroll data. processing of employee PII. Integral for
(HRMS) workforce
management.

Hardware
Asset Type Description Regulatory / Legal Obligations Criticality

Devices used by employees for daily Ensure compliance with GDPR (encryption for High: Sensitive
Laptops & Desktops operations. PII) and HIPAA (if healthcare-related data is data may be
handled). stored.
 Network devices providing perimeter security Must meet PCI DSS requirements for firewall High: Protects
Firewalls to block unauthorised access and monitor configuration and logging for systems handling all network
traffic. payments. traffic.

Virtual servers hosted on AWS for applications, Comply with ISO 27001: encryption, access Critical: Hosts
Servers (AWS Hosted) data storage, and processing. controls, and AWS-specific certifications (e.g., core business
SOC 2). data.

Mobile Devices Company-owned smartphones and tablets for GDPR/CCPA: Require remote wiping Medium:
mobile workforce. capabilities and secure configurations to Dependent on
protect PII. data stored.

knowledge
 Asset Type Description Regulatory / Legal Obligations Criticality

Key Employee Expertise Specialised knowledge held by a specific No direct obligations but must mitigate single High: Risk of
employee (e.g., custom software processes, points of failure (continuity). operational
vendor relations). disruption.

documentation
Asset Type Description Regulatory / Legal Obligations Criticality
 Process Documentation Detailed internal guides on performing critical ISO 27001 requires documented procedures High: Supports
processes (e.g., incident response for incident and risk management. organisational
procedures). continuity.

boundaries
What are the physical and logical boundaries within the scope (business functions, offices, systems, networks, etc.)

Scope Boundary Description

IT Department Only Focuses on IT infrastructure, systems, and service management processes within the IT team.
Critical Business Processes Includes processes like incident management, change management, and asset management.

Specific Locations Applies to head office, regional offices, or data centres while excluding other branches.

Cloud Environments Only Covers systems and services hosted on cloud platforms (AWS, Azure, etc.), excluding on-premises.

Production Systems Focuses on customer-facing systems and critical services while excluding development/testing.

Customer Support Services Includes help desk systems, call centres, and customer-facing support processes.

Supply Chain and Vendor Systems Covers shared systems and vendor integrations while excluding internal-only processes.

Data Protection for Specific Regulations Focuses on systems required for GDPR, HIPAA, or other regulatory compliance.

IT Systems for a Specific Business Unit Covers systems and assets for specific units like Finance or HR, excluding unrelated units.

Physical Security for Specific Facilities This includes server rooms, warehouses, or secure areas, excluding general office spaces.

Out of scope
What needs to be clarified as not being included in the ISMS scope?

Out-of-Scope Element Description

Legacy Systems Pending Decommission Systems are scheduled for retirement and are not maintained under current security controls.
Non-Critical Business Units Departments or teams that do not handle sensitive information or critical processes.

Development and Testing Environments Non-production environments where data is anonymised or less critical.

Third-Party Vendor Systems External vendor systems where the organisation does not have operational control or responsibility.

Archived Data Historical or backup data is stored offline and not actively used in operations.

General Office Areas Non-secure areas like meeting rooms, cafeterias, or reception spaces.

Non-IT Physical Locations Facilities or locations that do not house critical systems or sensitive information.

Retired Hardware Old hardware devices that are no longer in use and awaiting secure disposal.

Information is not subject to compliance requirements (e.g., GDPR, HIPAA) or business-critical

Non-Regulated Data
rules.