Document ID: ISMS-SCOPE-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager
Purpose
This document defines the boundaries and applicability of [Organisation Name]‘s Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022 Clause 4.3. It establishes what is included within the ISMS, what is excluded and why, and identifies the key interested parties whose requirements have been considered.
1. Organisation Context
| Item | Detail |
|---|---|
| Legal Entity | [Organisation Name] Pty Ltd |
| Industry | Managed Cybersecurity Services |
| Primary Location | [City, Country] |
| Employee Count | [Number] |
| Relevant Standards | ISO/IEC 27001:2022, SOC 2 Type II, PCI DSS v4.0 |
1.1 Internal Context
- The organisation provides managed security operations, penetration testing, and cloud security consulting to clients across financial services, healthcare, and technology sectors.
- Key internal factors: reliance on cloud infrastructure (AWS, Azure), remote-first workforce, contractual obligations requiring certified security controls.
1.2 External Context
- Regulatory environment: Privacy Act 1988 (Australia), GDPR (for EU client data), sector-specific regulations per client contract.
- Market expectation: clients require ISO 27001 certification as a pre-condition for engagement.
- Threat landscape: targeted attacks against cybersecurity firms, supply chain compromise risk.
2. ISMS Scope Statement
The ISMS applies to the design, delivery, and support of managed cybersecurity services, including:
- Security Operations Centre (SOC) monitoring and incident response services
- Penetration testing and vulnerability assessment services
- Cloud security consulting and assessment services
- Internal corporate IT systems supporting the above services
Physical boundaries: All offices at [Primary Address] and [Secondary Address if applicable], and all remote working environments used by employees and contractors.
Logical boundaries: All information systems, applications, networks, and cloud environments owned, operated, or contracted by the organisation to deliver in-scope services.
3. Interested Parties
| Interested Party | Interest / Requirement | How Addressed |
|---|---|---|
| Clients | Confidentiality of their data; certified security controls | ISO 27001 certification; contractual DPA |
| Employees | Safe and compliant working environment | Security awareness training; clear policies |
| Regulators (OAIC, ICO) | Compliance with privacy law | Privacy policy; breach notification procedure |
| Cloud providers (AWS, Azure) | Shared responsibility compliance | Cloud security policy; configuration standards |
| Cyber insurers | Demonstrable risk management | ISMS documentation; annual risk assessments |
| Shareholders / Board | Business continuity; reputational protection | Management review; BCP/DR plan |
4. Scope Boundaries
4.1 In Scope
- All information assets used to deliver managed SOC, penetration testing, and cloud consulting services
- Corporate email, collaboration tools (Microsoft 365), and HR systems
- All personnel: full-time employees, part-time employees, and contractors with access to in-scope systems
- Third-party suppliers with access to client data or in-scope systems
4.2 Exclusions
| Excluded Item | Justification |
|---|---|
| Subsidiary [Name] (if applicable) | Operates under a separate ISMS; no integration with in-scope systems |
| Marketing website hosting (Cloudflare Pages) | Static site; no client data processed; no access to internal systems |
| Personal devices used strictly for two-factor authentication | No organisational data stored; access-only role |
Note: All exclusions must be reviewed annually and documented in the Management Review. An item may only be excluded if its inclusion would not affect the organisation’s ability to achieve intended ISMS outcomes.
5. Interfaces and Dependencies
| Interface | Description | Managed By |
|---|---|---|
| Client SIEM ingestion | Log data received from client environments into SOC platform | SOC Manager |
| AWS/Azure cloud API | Access to cloud environments for assessment services | Cloud Practice Lead |
| Payroll / HR system | Employee data; access provisioning triggers | HR Manager |
| Penetration testing lab network | Isolated network segment for offensive tooling | Technical Director |
6. Review
This Scope Document is reviewed annually as part of the Management Review (Clause 9.3) or following:
- A significant change to the organisation’s services or structure
- A material change in the threat landscape or regulatory environment
- A major security incident affecting the boundaries of the ISMS
| Review Date | Reviewed By | Changes Made | Next Review |
|---|---|---|---|
| March 2026 | [Name], ISM | Initial issue | March 2027 |