The ISMS Scope Statement is the foundational document of your entire ISO 27001 implementation. Every deliverable you produce in this lab — from the Risk Assessment to the Internal Audit Report — will reference it. Before any control is selected, any risk assessed, or any policy written, the organization must first answer one critical question: What exactly are we protecting, and where?
In this task, you are the external ISO 27001 consultant engaged by Pemberton Lowe LLP, a mid-sized UK law firm with offices in London, Manchester, and Edinburgh. The firm’s managing partner has committed to achieving ISO 27001 certification within 18 months in response to a Solicitors Regulation Authority (SRA) cybersecurity directive. You are starting from zero: no existing ISMS, no prior certification, no documented scope.
Your job in this task is to define the boundaries and applicability of the ISMS with enough precision that any assessor, auditor, or new team member can immediately understand what is included, what is excluded, and why.
ISO 27001 Clause 4.3 requires that the organization determine the scope of its ISMS. Sounds simple. It rarely is.
Scope decisions carry real consequences:
A well-written scope statement does three things simultaneously. It tells the organization what is being secured. It tells auditors where the ISMS applies. And it tells the business why, by anchoring scope decisions explicitly to the firm’s context, its interested parties, and the interfaces it has with the outside world.
Clause 4.3: Determining the scope of the ISMS states that the organization shall determine the boundaries and applicability of the ISMS, taking into account:
The scope must be available as documented information, which is exactly what this form produces.
ISMS Scope vs. the organization’s full footprint: The scope defines what the ISMS covers, not what the organization does. You can legitimately exclude a business unit, system, or location, but only if it has no meaningful interface with the information assets you are protecting, and you can justify that exclusion in writing.
Interested parties and their requirements: Clause 4.2 feeds directly into scope. The firm’s clients expect confidentiality of privileged communications. The SRA expects demonstrable cybersecurity governance. HMRC expects integrity of financial records. These requirements shape what must be protected and therefore what must fall within the scope.
Interfaces and dependencies: Modern law firms do not operate in isolation. Pemberton Lowe shares documents with clients via a portal, sends matter files to barristers’ chambers, uses cloud storage, and relies on a managed SOC. Each of these is an interface: a point where information crosses the ISMS boundary. The scope statement must acknowledge these interfaces, even if the third parties themselves are not in scope.
Inclusions and exclusions: Any exclusion from scope must be documented and justified. An assessor will test whether excluded elements could affect the firm’s ability to achieve the confidentiality, integrity, and availability of information within the scope, or its clients’ data. Weak exclusion justifications are a common finding in Stage 1 audits.
A strong scope statement is:
A weak scope statement says things like “all of our IT systems” or “the information security activities of the firm.” These are circular and unverifiable. An assessor cannot determine what is in scope from a statement like that, and neither can your staff.
In real ISO 27001 implementations, the scope statement is often the document that generates the most disagreement between the consultant and the client. Senior partners want to limit scope to reduce cost and disruption. Auditors want comprehensive coverage. Your job is to find the defensible middle ground: inclusive enough to be credible, bounded enough to be achievable.
Pemberton Lowe’s SRA directive means the firm cannot afford a scope so narrow it excludes the systems most relevant to client data protection. But it also cannot afford a scope so broad that implementation stalls before certification.
Write the scope as if you will be defending it in a Stage 1 audit in twelve months’ time.