ExamSimul
  • Certifications
    • Agile
    • Agile Scrum
    • Business Continuity
    • CyberSecurity
      • ISO 27001
      • NIST
    • Design Thinking
    • DevOps
    • Enterprise Architecture
    • Governance System
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • Project Management
      • AgilePM
      • PM2
      • PRINCE2
      • PRINCE2 Agile
    • Service Management
      • FitSM
      • ISO 20000
      • ITIL
        • ITIL Foundation
        • ITIL Managing Professional
        • ITIL Strategic Leader
        • ITIL Practitioner
      • OpenSM
    • SW Testing
  • Exams
    • AgilePM®
    • Agile Scrum Product Owner®
    • Agile Scrum Master®
    • Design Thinking®
    • DevOps®
    • DORA Resilience
      • DORA Foundation
    • Enterprise Architecture
      • Exam Simulator for TOGAF® EA Foundation
    • FitSM®
    • ISO 20000
      • ISO 20k Foundation
      • ISO 20k Auditor
    • ISO 22301 Continuity
    • ISO 27001
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Lead Auditor
      • ISO 27701 Foundation
    • ISO 31000 Risk Mgmt
    • IT Governance
    • ITIL®
      • ITIL® Foundation
      • ITIL® Managing Professional
      • ITIL® Strategic Leader
      • ITIL® Practitioner
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • NIS 2 Cybersecurity
      • NIS 2 Foundation
    • NIST Privacy
      • NIST Privacy Foundation
    • OpenSM™
      • OpenSM Foundation
    • PM2®
      • PM2 Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2® Agile
    • SW Testing
  • Courses
    • AgilePM
      • AgilePM® Foundation
      • AgilePM® Practitioner
    • Agile Scrum
      • Agile Scrum Master
    • Cloud Management
    • Design Thinking
      • DT Method® Foundation
    • DORA Cybersecurity
    • FitSM
      • FitSM Foundation
    • ISO/IEC 20000
      • ISO 20000 Foundation
      • ISO 20000 Auditor
      • ISO 20000 Practitioner
      • ISO 20000 Lead Auditor
    • ISO 22301 Continuity
      • ISO 22301 Foundation
    • ISO/IEC 27000
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Practitioner
      • ISO 27001 Lead Auditor
      • ISO 27032 Foundation
      • ISO 27035 Foundation
    • ISO 31000 Risk Mgmt
      • ISO 31000 Foundation
    • ITIL® 4
      • ITIL® 4 Foundation
      • ITIL® 4 Managing Professional
        • ITIL® 4 CDS
        • ITIL® 4 DSV
        • ITIL® 4 HVIT
        • ITIL® 4 DPI
      • ITIL® 4 Strategic Leader
        • ITIL® 4 DPI
        • ITIL® 4 DITS
      • ITIL® 4 Practitioner
        • ITIL® 4 Monitoring and Event Management
        • ITIL® 4 Incident Management
        • ITIL® 4 Problem Management
        • ITIL® 4 Service Desk
        • ITIL® 4 Service Request Management
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • NIS 2 Cybersecurity
    • OpenSM
      • OpenSM Foundation
    • PM2 EU Project
      • PM2® Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2 Agile®
      • PRINCE2 Agile® Foundation
      • PRINCE2 Agile® Practitioner
    • Privacy
      • ISO 27701 Privacy Foundation
      • NIST Privacy Foundation
    • SW Testing
      • SW Testing Foundation
    • TOGAF®
      • TOGAF® EA Foundation
      • TOGAF® EA Practitioner
  • Resources
    • Academy
    • Examination Institute
      • APMG
      • Axelos
        • CPD Requirements
      • EXIN
      • GoToCertify
      • ISACA
      • PECB
      • Peoplecert
        • How to access eBook
        • How to book an Exam
        • How to renew ITIL certification
      • PMI
        • PDU to maintain PMI® certifications
        • Earn Education PDUs
      • The Open Group
        • Test Center
        • Online exam
    • Learning Delivery Methods
      • Online courses
      • Distant courses
      • In-house courses
      • ONE-to-ONE courses
      • Blended courses
      • Fully tailored courses
    • Exam Glossary
    • Exam Proctor
    • Tutor / Trainer
    • Download
    • Webinar
  • Blog
    • Learn
      • Agile
        • Agile History
        • Manifesto Agile
        • AgilePM
          • About AgilePM
          • Choosing DSDM
      • Design Thinking
        • Background
        • About Design Thinking
        • What is Design Thinking
        • Design Thinking Process
      • Enterprise Architecture
        • About TOGAF® Standard, 10th Edition
        • Structure of TOGAF® Standard, 10th Edition
        • Migration TOGAF® EA certification
      • ISO 27001
        • ISO 27001 Requirements
          • Clause 4
            • Requirements 4.1
            • Requirements 4.2
            • Requirements 4.3
            • Requirements 4.4
          • Clause 5
            • Requirements 5.1
            • Requirements 5.2
            • Requirements 5.3
          • Clause 6
            • Requirements 6.1
            • Requirements 6.2
          • Clause 7
            • Requirements 7.1
            • Requirements 7.2
            • Requirements 7.3
            • Requirements 7.4
            • Requirements 7.5
          • Clause 8
            • Requirements 8.1
            • Requirements 8.2
            • Requirements 8.3
          • Clause 9
            • Requirements 9.1
            • Requirements 9.2
            • Requirements 9.3
          • Clause 10
            • Requirements 10.1
            • Requirements 10.2
      • Lean Six Sigma
        • LSS Define Phase
          • The Basics of Six Sigma
            • Meanings of Six Sigma
            • History of Six Sigma
            • LSS Project Deliverables
            • y= f(x)
            • Voice of Customer
            • Six Sigma Teams
        • LSS Measure Phase
        • LSS Analyze Phase
        • LSS Improve Phase
        • LSS Control Phase
      • Project Management
        • PM2
      • Service Management
        • ISO/IEC 20000
          • ISO20k vs Practices
        • ITIL® 4
          • ITIL® 4 Roles based
          • ITIL® 4 Practices based
          • ITIL® 4 Certification guide
          • ITIL® 4 DITS Practical Assignments
    • News
      • Agile Scrum
      • Design Thinking
      • Enterprise Architecture
      • Examination Institute
      • Information Security
      • Project Management
      • Service Management
  • About Us
    • Why ExamSimul
    • Accreditations
    • Partner Program
    • Corporate Training
      • Training Points
    • Terms of Use
    • Privacy Policy
    • Contact Us

Signup  Login

Requirements 4.3

  • Home\
  • Blog \
  • Learn\
  • ISO 27001\
  • ISO 27001 Requirements\
  • Clause 4\
  • Requirements 4.3

What is ISO 27001 Clause 4.3?

Clause 4.3 of the ISO 27001 standard involves setting the scope of your Information Security Management System (ISMS). This is a crucial part of the ISMS as it will tell stakeholders, including senior management, customers, auditors and staff, what areas of your business are covered by your ISMS. You should be able to quickly and simply describe or show your scope to an auditor and ideally a lay person as your new staff will need to know too. The external auditor for the ISMS (assuming you are going for independent certification) will probably also want to see the Statement of Applicability detail at the same time as the scope.

How to Set the Scope of the ISMS to meet ISO 27001?

The in-scope activity will be much more logical to consider once you have completed the work for 4.1 and 4.2. You'll probably consider the organisation, subsidiaries, divisions, departments, products, services, physical locations, mobile workers, geographies, systems and processes for your scope as the information assurance and risk assessment work will be following those parts of your organisation that need to be protected  Remember to also think about what the powerful stakeholder interested parties will expect too. If you did look at leaving any part of the organisation out of scope, what would the impact be for those powerful interested parties? Would you also have to run multiple systems and end up confusing staff about what was in and out of scope in the way they worked?

What parts of the business need to create, access or process the information assets you see as valuable? These would almost certainly need to be in scope if the pressures were driven externally by customers for satisfying their information assurance needs. For example, you might focus on your product development and delivery but would still have to look at the people, processes etc around it too.  Also think about what you can and can't control or influence.

It could be minutes of effort to get this work done or might take considerably longer in a larger enterprise where it can be politically and practically challenging to determine a controllable scope. ISO certification bodies like UKAS are pushing more towards 'whole organisation' scope too and powerful customers will generally expect that as well.

How to Document 'out-of-scope' for an ISMS to meet ISO 27001?

You should also carefully note the 'out of scope' areas for the ISMS too, wrapped up alongside the key interfaces and dependencies between activities performed by the organisation and those that are performed by other organisations. At a simplistic level, let's imagine you are a software developer and rely on outsourcing of the datacentre for hosting of the service to customers.

You'd probably clarify that the scope for your 4.3 is that within your organisation for the people and the software itself, but would put the boundaries and activities of the data centre out of your controlled scope - after all you would expect them to also maintain their own trusted ISMS.

It is the same for physical property - if there is a reliance on a landlord for certain work (e.g. loading, barriers and reception control) that might form a boundary where the physical location security itself is out of scope for your control and you'd work your ISMS activity within that property. You would however still be expected to manage the supplier as part of your supplier policies in Annex A 5 and ensure their practices at least met the requirements for your ISMS and risk appetite but that's for another time.

  1. Building on the point above, if you did leave parts out of scope, what would the impact be for staff? Would some of their work be in scope and some out of scope? If so are there additional risks and complications where they might confuse practices (say), not protect work, and cause more threat from following two different approaches?
  2. Are there opportunities to describe things differently e.g. treat some satellite offices as tele/remote workers, not as physical premises or locations in scope?
  3. Simplifying or constraining scope early could make sense if you can effectively segment the information boundaries and demonstrate the risks are being addressed.  However, if you have a goal of adding in something later then keep in mind that a material change in scope might trigger a need for another audit, depending on what, when, how and whether driven by internal goals or external pressures.
 
  • Learn
    Learn
    • Agile
      Agile
      • Agile History
      • Manifesto Agile
      • AgilePM
        AgilePM
        • About AgilePM
        • Choosing DSDM
    • Design Thinking
      Design Thinking
      • Background
      • About Design Thinking
      • What is Design Thinking
      • Design Thinking Process
    • Enterprise Architecture
      Enterprise Architecture
      • About TOGAF® Standard, 10th Edition
      • Structure of TOGAF® Standard, 10th Edition
      • Migration TOGAF® EA certification
    • ISO 27001
      ISO 27001
      • ISO 27001 Requirements
        ISO 27001 Requirements
        • Clause 4
          Clause 4
          • Requirements 4.1
          • Requirements 4.2
          • Requirements 4.3
          • Requirements 4.4
        • Clause 5
          Clause 5
          • Requirements 5.1
          • Requirements 5.2
          • Requirements 5.3
        • Clause 6
          Clause 6
          • Requirements 6.1
          • Requirements 6.2
        • Clause 7
          Clause 7
          • Requirements 7.1
          • Requirements 7.2
          • Requirements 7.3
          • Requirements 7.4
          • Requirements 7.5
        • Clause 8
          Clause 8
          • Requirements 8.1
          • Requirements 8.2
          • Requirements 8.3
        • Clause 9
          Clause 9
          • Requirements 9.1
          • Requirements 9.2
          • Requirements 9.3
        • Clause 10
          Clause 10
          • Requirements 10.1
          • Requirements 10.2
    • Lean Six Sigma
      Lean Six Sigma
      • LSS Define Phase
        LSS Define Phase
        • The Basics of Six Sigma
          The Basics of Six Sigma
          • Meanings of Six Sigma
          • History of Six Sigma
          • LSS Project Deliverables
          • y= f(x)
          • Voice of Customer
          • Six Sigma Teams
      • LSS Measure Phase
      • LSS Analyze Phase
      • LSS Improve Phase
      • LSS Control Phase
    • Project Management
      Project Management
      • PM2
    • Service Management
      Service Management
      • ISO/IEC 20000
        ISO/IEC 20000
        • ISO20k vs Practices
      • ITIL® 4
        ITIL® 4
        • ITIL® 4 Roles based
        • ITIL® 4 Practices based
        • ITIL® 4 Certification guide
        • ITIL® 4 DITS Practical Assignments
  • News
    News
    • Agile Scrum
    • Design Thinking
    • Enterprise Architecture
    • Examination Institute
    • Information Security
    • Project Management
    • Service Management
SW Testing Foundation Mock Exam
SW Testing Foundation Mock Exam
28.00‎€
View Details
AgilePM® Foundation with exam
AgilePM® Foundation with exam
805.00‎€
View Details
PRINCE2® 7 Foundation eLearning with exam
PRINCE2® 7 Foundation eLearning with exam
891.00‎€
View Details
LSS Black Belt | Mock Exam
LSS Black Belt | Mock Exam
98.00‎€  88.00‎€
View Details

ExamSimul - is the training centre for the BITIL.COM group - an organization of professionals and senior experts whose main interest is the spread of knowledge and the application of methodologies Agile, Scrum, ITIL®, PRINCE2®, CobiT®, TOGAF®, Design Thinking and Standard International. [...]

Latest downloads

Cybersecurity Act
Cyber Resilience Act
Data Governance Act
09 ITIL 4 Master Brochure
ITIL 4 Case Study The Co-operative Group

Quick link

  • Course Catalogue
  • Academy
  • News
  • FAQs
  • Term of Use
  • Privacy Policy
  • Contact

Contact

Where we areEmail: info@examsimul.com
Linkedin: ExamSimul
2025 © Copyright ExamSimul - All Right Reserved
ITIL®, PRINCE2®, PRINCE2 Agile® are Registered Trade Marks of the PeopleCert group. IASSC Lean Six Sigma™ is trademark of the PeopleCert group. Used under licence from PeopleCert. All rights reserved. TOGAF® is a registered trademarks of The Open Group in the United States and other countries. COBIT® 2019 is a Registered Trade Marks of the Information Systems Audit and Control Association and the IT Governance Institute. AgilePM® is a registered trademark of Agile Business Consortium. All rights Reserved. The APMG International Scrum and Swirl Device logo is a trademark of The APM Group Limited, used under permission of The APM Group Limited. All rights reserved. APMG International ISO/IEC 20000™ is a trademark of The APM Group Limited. All rights reserved. APMG International ISO/IEC 27001™ is a trademark of The APM Group Limited. All rights reserved. FitSM® is a registered trademark of ITEMO e.V. DTMethod® is a registered trademark of Inprogress Sp.zo.o.
  • Certifications
    • Agile
    • Agile Scrum
    • Business Continuity
    • CyberSecurity
      • ISO 27001
      • NIST
    • Design Thinking
    • DevOps
    • Enterprise Architecture
    • Governance System
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • Project Management
      • AgilePM
      • PM2
      • PRINCE2
      • PRINCE2 Agile
    • Service Management
      • FitSM
      • ISO 20000
      • ITIL
        • ITIL Foundation
        • ITIL Managing Professional
        • ITIL Strategic Leader
        • ITIL Practitioner
      • OpenSM
    • SW Testing
  • Exams
    • AgilePM®
    • Agile Scrum Product Owner®
    • Agile Scrum Master®
    • Design Thinking®
    • DevOps®
    • DORA Resilience
      • DORA Foundation
    • Enterprise Architecture
      • Exam Simulator for TOGAF® EA Foundation
    • FitSM®
    • ISO 20000
      • ISO 20k Foundation
      • ISO 20k Auditor
    • ISO 22301 Continuity
    • ISO 27001
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Lead Auditor
      • ISO 27701 Foundation
    • ISO 31000 Risk Mgmt
    • IT Governance
    • ITIL®
      • ITIL® Foundation
      • ITIL® Managing Professional
      • ITIL® Strategic Leader
      • ITIL® Practitioner
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • NIS 2 Cybersecurity
      • NIS 2 Foundation
    • NIST Privacy
      • NIST Privacy Foundation
    • OpenSM™
      • OpenSM Foundation
    • PM2®
      • PM2 Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2® Agile
    • SW Testing
  • Courses
    • AgilePM
      • AgilePM® Foundation
      • AgilePM® Practitioner
    • Agile Scrum
      • Agile Scrum Master
    • Cloud Management
    • Design Thinking
      • DT Method® Foundation
    • DORA Cybersecurity
    • FitSM
      • FitSM Foundation
    • ISO/IEC 20000
      • ISO 20000 Foundation
      • ISO 20000 Auditor
      • ISO 20000 Practitioner
      • ISO 20000 Lead Auditor
    • ISO 22301 Continuity
      • ISO 22301 Foundation
    • ISO/IEC 27000
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Practitioner
      • ISO 27001 Lead Auditor
      • ISO 27032 Foundation
      • ISO 27035 Foundation
    • ISO 31000 Risk Mgmt
      • ISO 31000 Foundation
    • ITIL® 4
      • ITIL® 4 Foundation
      • ITIL® 4 Managing Professional
        • ITIL® 4 CDS
        • ITIL® 4 DSV
        • ITIL® 4 HVIT
        • ITIL® 4 DPI
      • ITIL® 4 Strategic Leader
        • ITIL® 4 DPI
        • ITIL® 4 DITS
      • ITIL® 4 Practitioner
        • ITIL® 4 Monitoring and Event Management
        • ITIL® 4 Incident Management
        • ITIL® 4 Problem Management
        • ITIL® 4 Service Desk
        • ITIL® 4 Service Request Management
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • NIS 2 Cybersecurity
    • OpenSM
      • OpenSM Foundation
    • PM2 EU Project
      • PM2® Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2 Agile®
      • PRINCE2 Agile® Foundation
      • PRINCE2 Agile® Practitioner
    • Privacy
      • ISO 27701 Privacy Foundation
      • NIST Privacy Foundation
    • SW Testing
      • SW Testing Foundation
    • TOGAF®
      • TOGAF® EA Foundation
      • TOGAF® EA Practitioner
  • Resources
    • Academy
    • Examination Institute
      • APMG
      • Axelos
        • CPD Requirements
      • EXIN
      • GoToCertify
      • ISACA
      • PECB
      • Peoplecert
        • How to access eBook
        • How to book an Exam
        • How to renew ITIL certification
      • PMI
        • PDU to maintain PMI® certifications
        • Earn Education PDUs
      • The Open Group
        • Test Center
        • Online exam
    • Learning Delivery Methods
      • Online courses
      • Distant courses
      • In-house courses
      • ONE-to-ONE courses
      • Blended courses
      • Fully tailored courses
    • Exam Glossary
    • Exam Proctor
    • Tutor / Trainer
    • Download
    • Webinar
  • Blog
    • Learn
      • Agile
        • Agile History
        • Manifesto Agile
        • AgilePM
          • About AgilePM
          • Choosing DSDM
      • Design Thinking
        • Background
        • About Design Thinking
        • What is Design Thinking
        • Design Thinking Process
      • Enterprise Architecture
        • About TOGAF® Standard, 10th Edition
        • Structure of TOGAF® Standard, 10th Edition
        • Migration TOGAF® EA certification
      • ISO 27001
        • ISO 27001 Requirements
          • Clause 4
            • Requirements 4.1
            • Requirements 4.2
            • Requirements 4.3
            • Requirements 4.4
          • Clause 5
            • Requirements 5.1
            • Requirements 5.2
            • Requirements 5.3
          • Clause 6
            • Requirements 6.1
            • Requirements 6.2
          • Clause 7
            • Requirements 7.1
            • Requirements 7.2
            • Requirements 7.3
            • Requirements 7.4
            • Requirements 7.5
          • Clause 8
            • Requirements 8.1
            • Requirements 8.2
            • Requirements 8.3
          • Clause 9
            • Requirements 9.1
            • Requirements 9.2
            • Requirements 9.3
          • Clause 10
            • Requirements 10.1
            • Requirements 10.2
      • Lean Six Sigma
        • LSS Define Phase
          • The Basics of Six Sigma
            • Meanings of Six Sigma
            • History of Six Sigma
            • LSS Project Deliverables
            • y= f(x)
            • Voice of Customer
            • Six Sigma Teams
        • LSS Measure Phase
        • LSS Analyze Phase
        • LSS Improve Phase
        • LSS Control Phase
      • Project Management
        • PM2
      • Service Management
        • ISO/IEC 20000
          • ISO20k vs Practices
        • ITIL® 4
          • ITIL® 4 Roles based
          • ITIL® 4 Practices based
          • ITIL® 4 Certification guide
          • ITIL® 4 DITS Practical Assignments
    • News
      • Agile Scrum
      • Design Thinking
      • Enterprise Architecture
      • Examination Institute
      • Information Security
      • Project Management
      • Service Management
  • About Us
    • Why ExamSimul
    • Accreditations
    • Partner Program
    • Corporate Training
      • Training Points
    • Terms of Use
    • Privacy Policy
    • Contact Us
  0  - 0.00‎€
Your shopping cart is empty!
USD EUR GBP
Top

Training Course Catalogue

Training Course Catalogue 

Unlock Your Potential, Transform Your Future!

Rewarding Your Excellence in ITIL 4
Get Free ITIL4 Practitioner Exam Voucher
ONE-TIME ONLY OFFER
Get our Mock Exam for just 3 €uro/USD for the ISO 27001 Foundation!
Yes, I want... No thanks, I don't want...
This is the only time you will see this offer.
Course Catalogue Corporate Training Course Calendar Contact Us