Training Module
ISMS Scope, Boundaries & Statement of Applicability
Understand how to define an ISO/IEC 27001 ISMS scope and boundaries and document a Statement of Applicability (SoA)
Training Module
ISMS Scope, Boundaries & Statement of Applicability
Understand how to define an ISO/IEC 27001 ISMS scope and boundaries and document a Statement of Applicability (SoA)
Training Module
ISMS Scope, Boundaries & Statement of Applicability
Understand how to define an ISO/IEC 27001 ISMS scope and boundaries and document a Statement of Applicability (SoA)
Is your information security scope vague, leaving boundaries and applicability decisions undefended?
This training module teaches how to define and maintain a clear ISMS scope and Statement of Applicability aligned to risk treatment.
Is your information security scope vague, leaving boundaries and applicability decisions undefended?
This training module teaches how to define and maintain a clear ISMS scope and Statement of Applicability aligned to risk treatment.
Is your information security scope vague, leaving boundaries and applicability decisions undefended?
This training module teaches how to define and maintain a clear ISMS scope and Statement of Applicability aligned to risk treatment.
Training module overview
Training module overview
Training module overview
Weak scope definitions and poorly justified applicability decisions undermine the credibility of an Information Security Management System.
This training module guides participants through drafting a defensible scope statement, identifying interfaces and dependencies, and connecting risk treatment outputs to control applicability. It explains how to structure a Statement of Applicability with rationale and implementation status and how to maintain the scope and SoA over time. Operational implementation differences are highlighted to avoid “documented but not done” gaps.
Weak scope definitions and poorly justified applicability decisions undermine the credibility of an Information Security Management System.
This training module guides participants through drafting a defensible scope statement, identifying interfaces and dependencies, and connecting risk treatment outputs to control applicability. It explains how to structure a Statement of Applicability with rationale and implementation status and how to maintain the scope and SoA over time. Operational implementation differences are highlighted to avoid “documented but not done” gaps.
Applicable environments
This module applies to organisations implementing or operating an information security management system (ISMS) in line with ISO/IEC 27001. It focuses on how the standard’s requirements are interpreted and applied in practice within real organisational contexts.
The content is relevant for organisations seeking certification as well as for those using ISO/IEC 27001 as a reference framework to structure responsibilities, processes, and controls in the information security domain.
Target audience
Target audience
Target audience
People involved in designing, building, operating, or improving an ISMS aligned with ISO/IEC 27001
Executives and department heads accountable for the effectiveness and performance of an ISMS
Those responsible for processes, policies, assets, risks, and controls related to information security
Auditors of ISO/IEC 27001 who want to deepen their understanding of management-side best practices (not audit technique)
People involved in designing, building, operating, or improving an ISMS aligned with ISO/IEC 27001
Executives and department heads accountable for the effectiveness and performance of an ISMS
Those responsible for processes, policies, assets, risks, and controls related to information security
Auditors of ISO/IEC 27001 who want to deepen their understanding of management-side best practices (not audit technique)
Decision support
Is this module for you?
It is a good fit if you…
are responsible for defining, maintaining, or defending an ISMS scope.
struggle with vague, copied, or unstable Statements of Applicability.
need scope and SoA decisions that are defensible in audits and incidents.
must align ISMS boundaries with real organisational, technical, or supplier boundaries.
want scope and applicability decisions that remain valid as the organisation changes.
are responsible for defining, maintaining, or defending an ISMS scope.
struggle with vague, copied, or unstable Statements of Applicability.
need scope and SoA decisions that are defensible in audits and incidents.
must align ISMS boundaries with real organisational, technical, or supplier boundaries.
want scope and applicability decisions that remain valid as the organisation changes.
If most of the points above apply, this module is likely a good fit.
It may not be the best fit if you…
are only looking for a generic overview of ISO/IEC 27001.
expect a risk assessment or control implementation course.
want a template-only walkthrough without decision logic.
already operate a clear, stable, and well-defended ISMS scope and SoA.
are only looking for a generic overview of ISO/IEC 27001.
expect a risk assessment or control implementation course.
want a template-only walkthrough without decision logic.
already operate a clear, stable, and well-defended ISMS scope and SoA.
Agenda
Agenda
Agenda
What ISO/IEC 27001 expects from “scope” and “boundaries”
Applying scoping logic to the ISMS (without re-teaching the generic method)
Building a scope statement that is operationally usable
From risk treatment outputs to control applicability decisions (inputs, not methods)
Statement of Applicability (SoA): structure, minimum content, and traceability
Maintaining scope and SoA over time
Case-based workshop
Show detailed agenda...
What ISO/IEC 27001 expects from “scope” and “boundaries”
Applying scoping logic to the ISMS (without re-teaching the generic method)
Building a scope statement that is operationally usable
From risk treatment outputs to control applicability decisions (inputs, not methods)
Statement of Applicability (SoA): structure, minimum content, and traceability
Maintaining scope and SoA over time
Case-based workshop
Show detailed agenda...
What ISO/IEC 27001 expects from “scope” and “boundaries”
Applying scoping logic to the ISMS (without re-teaching the generic method)
Building a scope statement that is operationally usable
From risk treatment outputs to control applicability decisions (inputs, not methods)
Statement of Applicability (SoA): structure, minimum content, and traceability
Maintaining scope and SoA over time
Case-based workshop
Show detailed agenda...
Learning outcomes
Learning outcomes
Learning outcomes
Key outcomes
Draft an ISO/IEC 27001‑aligned scope statement with clear boundaries and rationale
Identify interfaces, dependencies and assumptions that influence the scope
Use risk treatment outputs to decide which controls are applicable and justify those decisions
Draft an ISO/IEC 27001‑aligned scope statement with clear boundaries and rationale
Identify interfaces, dependencies and assumptions that influence the scope
Use risk treatment outputs to decide which controls are applicable and justify those decisions
Additional capabilities
Structure a Statement of Applicability with clear rationale and implementation status
Distinguish between documented applicability and operational implementation to spot gaps
Define maintenance rules and triggers to keep the scope and SoA current over time
Structure a Statement of Applicability with clear rationale and implementation status
Distinguish between documented applicability and operational implementation to spot gaps
Define maintenance rules and triggers to keep the scope and SoA current over time
Additional benefits
Additional benefits
Additional benefits
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
ISMS scope statement template
Boundary & interface mapping canvas
Scope decision checklist
Statement of Applicability template
Scope / SoA review & change-trigger log
ISMS scope statement template
Boundary & interface mapping canvas
Scope decision checklist
Statement of Applicability template
Scope / SoA review & change-trigger log
Confirmation
Certificate of completion
Module ID
HAM-IS-S-01
Domain
Audience
Manager
Language
English
Delivery
Live virtual
Duration
7 h
List price
CHF 550
Excl. VAT. VAT may apply depending on customer location and status.
Delivery & learning format
Delivery & learning format
Delivery & learning format
Virtual live teaching
This module is delivered live, with a strong focus on discussion, practical application, and direct interaction with the instructor.
Sessions work through realistic examples, clarify concepts in context, and apply methods directly to participants’ organisational realities.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
Not sure if this module is right for you?
Not sure if this module is right for you?
Not sure if this module is right for you?
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes participants already understand the generic logic of context, stakeholders, and boundary/scoping decisions (owned by System Foundations) and can work with basic documented information practices.
Helpful background includes:
Familiarity with the organisation’s services/processes, delivery model, and key suppliers
Basic information security literacy (assets/services, common control categories, shared responsibility concepts)
Basic risk-and-treatment logic as a management-system capability (method is not taught here)
This module assumes participants already understand the generic logic of context, stakeholders, and boundary/scoping decisions (owned by System Foundations) and can work with basic documented information practices.
Helpful background includes:
Familiarity with the organisation’s services/processes, delivery model, and key suppliers
Basic information security literacy (assets/services, common control categories, shared responsibility concepts)
Basic risk-and-treatment logic as a management-system capability (method is not taught here)
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
System Foundations
Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems
7 h
System Foundations
Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems
7 h
System Foundations
Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems
7 h
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
After completion of this module, the following modules are ideal to further deepen your competence. If you are looking for a structured learning path, modules can also be taken as part of a professional track.
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
Duration
7 h
List price
CHF 550
View module
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
Duration
7 h
List price
CHF 550
View module
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
Duration
7 h
List price
CHF 550
View module
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
Duration
7 h
List price
CHF 550
View module
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
Duration
7 h
List price
CHF 550
View module
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
Duration
7 h
List price
CHF 550
View module
Policy Management
Build a coherent, auditable policy framework that aligns with strategy, scales across entities, and stays current without bureaucracy
Duration
7 h
List price
CHF 550
View module
Policy Management
Build a coherent, auditable policy framework that aligns with strategy, scales across entities, and stays current without bureaucracy
Duration
7 h
List price
CHF 550
View module
Policy Management
Build a coherent, auditable policy framework that aligns with strategy, scales across entities, and stays current without bureaucracy
Duration
7 h
List price
CHF 550
View module
Documentation & Knowledge Foundations
Fundamentals of documented information control, records, and knowledge capture for management systems
Duration
7 h
List price
CHF 550
View module
Documentation & Knowledge Foundations
Fundamentals of documented information control, records, and knowledge capture for management systems
Duration
7 h
List price
CHF 550
View module
Documentation & Knowledge Foundations
Fundamentals of documented information control, records, and knowledge capture for management systems
Duration
7 h
List price
CHF 550
View module
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.