Scoping ISMS: How far your Integrated Security Management Systems should go?

Alcance del SGSI - Scoping ISMSCompanies implement Integrated Security Management Systems (ISMS) in order to achieve sufficient security levels to protect the company’s sensitive data. However, scoping ISMS will always depend on the company’s information security maturity; and other factors whose impacts we need to understand and measure before beginning the implementation.

As experts in IT Security Management and Systems, we have plans to make easier this process; and thus scoping ISMS to more ambitious – or optimal – levels, beyond than merely sufficient. Let’s start together this process.

Scoping ISMS: The beginning

Scoping ISMS begins by systematizing the documentation that governs the organization. This process is known as identification of critical elements to protect. In other words, we begin the process by knowing what sensitive information will be privileged under the scope of ISMS; and separate it from the data that will remain in the public domain.

Then, with this sole action, we automatically begin to scoping ISMS. However, it’s scarcely the first step in a series of broader measures that we must observe. At this point, we make a small parenthesis to explain them a bit.

In order to summarize and give order to such amount of details; many standards have been created for the application of best practices devoted to prevent data leakage. However, as it enjoys strong global credibility, acceptance, and respect; we will take the ISO 27001 standard as framework for scoping ISMS.

Thus, in its Clause 4.1, the ISO 27001 standard expressly states that it must weighed both, internal and external factors when scoping ISMS. All of them are related to the organization and business model.

In particular, scoping ISMS demands listing and incorporating details of the assets linked to critical information such as type of device that contains the data; physical location; organizational units; and activities or processes of greater importance in the organizational scheme. Let’s detail them.

Scoping ISMS: Internal Elements

On the one hand, internal elements are those related to the performance of the organization.

They shape and control its daily activities. In this sense, the group of elements sheltered under the label of internal elements are:


  • Mission; vision and objectives
  • Governance and organizational structure
  • Levels of process maturity
  • Strategic plans
  • Professional secrets
  • Personal data of employees
  • Financial data and similar

Scoping ISMS: External Elements

On the other hand; external elements are those outside the control the company. Among them we name:

  • Local market and the competition
  • Industry practices
  • Local and international laws
  • Political and financial environment

Once we clearly and precisely identify all these elements; we know in depth the company’s particular features and environment where it works. Only after this step, we scope its objectives in terms of security.

Scoping ISMS: The implementation

After scoping ISMS, we move on to the phase of record setting that addresses the company’s digital security.

In this sense, record settings are precisely the ones that lead improvements processes. As they set a milestone in terms of security; they also set the terms to be corrected. We mean, everybody makes mistakes; and errors or inaccuracies may have been committed during the phase of identification and collection of critical elements.

Additionally, they also allows the correction of deviations in the actions taken to protect the sensitive data of the company; either by excess or by default.

In other words, records settings will highlight all the accuracies; excesses and operational shortcomings in our Integrated Security Management Systems; and as such, they will point us the way to establish corrective actions that guarantee continuous improvement.

Scoping ISMS: Final Considerations

Like every creation of man; scoping ISMS by itself is an imperfect process. Also, policies and objectives always change and our companies should always be ready to comply with them. In other words; if we want to keep up with changes; we need to regularly review our record settings; external and internal elements and policies to update the scope of our ISMS.

Also, we should adjust them to the results of safety audits; measurements; incidents; suggestions and observations of all the parties involved. So, in short; we should always keep in mind that scoping ISMS is far from being just fixed values ​​that end with implantation; start-up and subsequent certification; but it must be continually improved.

We reiterate: As experts in security management and IT systems, we have plans that makes easier the process for you. Improve the process of scoping ISMS to more ambitious and optimal levels, beyond merely sufficient. Contact us here to help you start it now.

To see the credits of the images, Here