ISO 27001: Scoping and mandatory clauses

Prepare for ISO 27001 certification with a scope statement that defines your company’s information security management system

October 24, 2022

photo of a low angle view of glass ceiling with metal muntin bars.

When it comes to ISO 27001, scoping is a key step toward setting up the entire certification process. ISO 27001 is a flexible standard, allowing organizations or service providers to determine the scope of its information security management system (ISMS). 

The ISMS encompasses all the applications, systems, processes, and people your organization needs to protect. The scoping statement (also referred to as statement of scope) sets the boundaries of your ISMS and is one of the documents mandatory to the ISO 27001 process.

This article goes over the main components of the ISO 27001 standard and how to begin your scoping process.

The structure of ISO 27001

The ISO 27001 standard is broken down into two major components:

  1. Mandatory clauses: The first part of the ISO 27001 standard lists 11 clauses (0–10), with only 4–10 being the clauses a company must implement to be ISO 27001 compliant.
  2. Annex A controls: The latest ISO 27001 version has 93 security controls a company selects from to create its security risk assessment. (Note that companies only need to adopt controls that apply to their specific operations.)


How do you scope an ISO 27001 project?

To set the scope of your ISMS, start by looking at your systems and processes and deciding which of the ISO 27001 Annex A controls are applicable. 

This will naturally take some time, as scoping determines which controls will be operationalized and assessed for ISO 27001 compliance.

While controls are unique to each business, here are a few standard questions to help set your ISO 27001 scope:

  • Do you collect any personally identifiable information?  
  • Does your company outsource any development activities? 
  • Do you use any vendors/suppliers to deliver your services? 
  • Does your organization maintain any removable storage media that contains sensitive information? 
  • Does your physical office have access points (i.e., delivery and loading areas)?


Why get an ISO 27001 certification?

ISO 27001 remains one of the most popular global security standards, and it’s easy to see why. Here are a few benefits the certification can provide:

  • Receive international recognition: ISO 27001 is the international standard for information security and a certification recognized around the world. 
  • Motivate leadership to invest in InfoSec: An ISO certification can encourage senior stakeholders to see the benefits and prioritize InfoSec in your organization. 
  • Take a risk-based approach to InfoSec: ISO 27001 encourages companies to adopt a risk-based approach and set processes that are more proactive about information security. 
  • Build trust in the market: One of the best ways to prove an organization’s systems are trustworthy is through ISO 27001 compliance. A third-party assessment serves as the objective opinion your potential and existing customers can rely on. 
  • Save time on security questionnaires: Security questionnaires are time-consuming and take teams away from other priorities. By going through an ISO 27001 compliance, these types of questionnaires become redundant and no longer needed. 
  • Establish competitive advantage: ISO 27001 proves you have a good security management process, adding a layer of credibility to your company that competitors may not have. 
  • Gain more customers: As a byproduct of all the benefits above, an ISO 27001 certification can help win more customers and foster increased loyalty to your company.

Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.     

You may also like


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more


Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Explore how OneTrust can help you build an efficient third-party risk management program that streamlines manual processes and uncovers hidden risks.

September 28, 2023

Learn more


Technology Risk & Compliance

Prioritizing the right InfoSec frameworks for your organization

In this free eBook, we explore the basics of three top InfoSec frameworks and how to decide which is the best fit for your organization.

September 27, 2023

Learn more