Training Module
Training Module
ISMS Scope, Boundaries & Statement of Applicability
Understand how to define an ISO/IEC 27001 ISMS scope and boundaries and document a Statement of Applicability
Understand
Implement
Manage
Audit
Training module overview
Many organisations treat the ISMS scope and Statement of Applicability (SoA) as documentation tasks done once for certification. The result is often a scope that is either overly broad (and impossible to operate) or overly narrow (and misleading), plus an SoA that lists controls without clear applicability decisions, rationale, or a realistic “implemented” view.
This full-day ISO/IEC 27001 specialisation module shows how to translate established scoping and boundary thinking into ISO/IEC 27001’s specific expectations: defining what the ISMS covers (and what it does not), clarifying interfaces and dependencies, and producing an SoA that remains traceable to risk-treatment decisions—without re-teaching risk methods or control implementation.
Many organisations treat the ISMS scope and Statement of Applicability (SoA) as documentation tasks done once for certification. The result is often a scope that is either overly broad (and impossible to operate) or overly narrow (and misleading), plus an SoA that lists controls without clear applicability decisions, rationale, or a realistic “implemented” view.
This full-day ISO/IEC 27001 specialisation module shows how to translate established scoping and boundary thinking into ISO/IEC 27001’s specific expectations: defining what the ISMS covers (and what it does not), clarifying interfaces and dependencies, and producing an SoA that remains traceable to risk-treatment decisions—without re-teaching risk methods or control implementation.
Target audience
ISMS managers and coordinators responsible for ISO/IEC 27001 implementation or maintenance
Information security and compliance leads shaping ISMS boundaries across teams and suppliers
IT/service owners contributing to scope definition and applicability decisions
Management-system implementers integrating ISO/IEC 27001 into an existing governance structure
ISMS managers and coordinators responsible for ISO/IEC 27001 implementation or maintenance
Information security and compliance leads shaping ISMS boundaries across teams and suppliers
IT/service owners contributing to scope definition and applicability decisions
Management-system implementers integrating ISO/IEC 27001 into an existing governance structure
Agenda
What ISO/IEC 27001 expects from “scope” and “boundaries”
Scope intent: credible coverage vs. false assurance
Typical failure modes: “scope by org chart”, “scope by location”, “scope by tooling”
Applying scoping logic to the ISMS (without re-teaching the generic method)
Translating organisational context, services, and delivery model into an ISMS boundary
Interfaces and dependencies: internal teams, shared platforms, external providers
Building a scope statement that is operationally usable
What the scope statement must communicate (coverage, exclusions, interfaces)
Handling multi-site, multi-service, and group structures without overpromising
From risk treatment outputs to control applicability decisions (inputs, not methods)
Required inputs and decision points (risk treatment decisions as the driver)
“Applicable / not applicable” decisions: what makes them defensible
Statement of Applicability (SoA): structure, minimum content, and traceability
SoA as a decision record: rationale, implementation status, references
Keeping it consistent with policies, operational controls, and evidence reality
Maintaining scope and SoA over time
Change triggers: organisational changes, supplier shifts, platform changes, incidents
Ownership, review cadence, and integration into management routines
Workshop (case-based, Halderstone default case)
Draft a scope boundary and interface map for the case organisation
Produce a defensible mini-SoA excerpt with clear applicability rationale and update triggers
What ISO/IEC 27001 expects from “scope” and “boundaries”
Scope intent: credible coverage vs. false assurance
Typical failure modes: “scope by org chart”, “scope by location”, “scope by tooling”
Applying scoping logic to the ISMS (without re-teaching the generic method)
Translating organisational context, services, and delivery model into an ISMS boundary
Interfaces and dependencies: internal teams, shared platforms, external providers
Building a scope statement that is operationally usable
What the scope statement must communicate (coverage, exclusions, interfaces)
Handling multi-site, multi-service, and group structures without overpromising
From risk treatment outputs to control applicability decisions (inputs, not methods)
Required inputs and decision points (risk treatment decisions as the driver)
“Applicable / not applicable” decisions: what makes them defensible
Statement of Applicability (SoA): structure, minimum content, and traceability
SoA as a decision record: rationale, implementation status, references
Keeping it consistent with policies, operational controls, and evidence reality
Maintaining scope and SoA over time
Change triggers: organisational changes, supplier shifts, platform changes, incidents
Ownership, review cadence, and integration into management routines
Workshop (case-based, Halderstone default case)
Draft a scope boundary and interface map for the case organisation
Produce a defensible mini-SoA excerpt with clear applicability rationale and update triggers
Course ID:
HAM-ISBS-1
Audience:
Manager
Domain:
Information Security
Available in:
English
Duration:
7 h
List price:
CHF 550
Excl. VAT. VAT may apply depending on customer location and status.
What you get
Learning outcomes
Draft an ISO/IEC 27001-aligned ISMS scope statement that communicates boundaries, interfaces, and exclusions clearly
Identify and document key ISMS interfaces and dependencies that materially affect control applicability
Use risk-treatment outputs as inputs to make explicit, defensible applicability decisions (without redefining risk method)
Structure a Statement of Applicability that includes rationale, implementation status, and traceable references
Distinguish “documented applicability” from “operationally implemented” and manage that gap transparently
Define practical maintenance rules: ownership, review cadence, and change triggers for scope and SoA
Draft an ISO/IEC 27001-aligned ISMS scope statement that communicates boundaries, interfaces, and exclusions clearly
Identify and document key ISMS interfaces and dependencies that materially affect control applicability
Use risk-treatment outputs as inputs to make explicit, defensible applicability decisions (without redefining risk method)
Structure a Statement of Applicability that includes rationale, implementation status, and traceable references
Distinguish “documented applicability” from “operationally implemented” and manage that gap transparently
Define practical maintenance rules: ownership, review cadence, and change triggers for scope and SoA
Learning materials
Slide deck
Participant workbook
Certificate of completion
Slide deck
Participant workbook
Certificate of completion
Templates & tools
ISO/IEC 27001 ISMS scope statement template
Boundary & interface mapping canvas (services, teams, suppliers, platforms)
Scope decision checklist (common pitfalls and completeness checks)
Statement of Applicability template (with rationale + implementation status fields)
Scope/SoA review & change-trigger log
Optional AI prompt set for monitoring scope-relevant change signals (contracts, supplier notices, major platform changes) — supportive only, not a decision-maker
ISO/IEC 27001 ISMS scope statement template
Boundary & interface mapping canvas (services, teams, suppliers, platforms)
Scope decision checklist (common pitfalls and completeness checks)
Statement of Applicability template (with rationale + implementation status fields)
Scope/SoA review & change-trigger log
Optional AI prompt set for monitoring scope-relevant change signals (contracts, supplier notices, major platform changes) — supportive only, not a decision-maker
Prerequisites
This module assumes participants already understand the generic logic of context, stakeholders, and boundary/scoping decisions (owned by System Foundations) and can work with basic documented information practices.
Helpful background includes:
Familiarity with the organisation’s services/processes, delivery model, and key suppliers
Basic information security literacy (assets/services, common control categories, shared responsibility concepts)
Basic risk-and-treatment logic as a management-system capability (method is not taught here)
This module assumes participants already understand the generic logic of context, stakeholders, and boundary/scoping decisions (owned by System Foundations) and can work with basic documented information practices.
Helpful background includes:
Familiarity with the organisation’s services/processes, delivery model, and key suppliers
Basic information security literacy (assets/services, common control categories, shared responsibility concepts)
Basic risk-and-treatment logic as a management-system capability (method is not taught here)
Strongly recommended preparatory modules
System Foundations: Context, Stakeholders, and System Boundaries
Understand organisational context, stakeholders, and system boundaries
7 h
System Foundations: Context, Stakeholders, and System Boundaries
Understand organisational context, stakeholders, and system boundaries
7 h
System Foundations: Context, Stakeholders, and System Boundaries
Understand organisational context, stakeholders, and system boundaries
7 h
Helpful preparatory modules
The modules below prepare for an optimal learning experience – but are not strictly necessary for participants to follow.
Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge
Fundamentals of documented information control, records, and knowledge capture for management systems
7 h
Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge
Fundamentals of documented information control, records, and knowledge capture for management systems
7 h
Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge
Fundamentals of documented information control, records, and knowledge capture for management systems
7 h
Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.
7 h
Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.
7 h
Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.
7 h
Continuous learning
Follow-up modules
Follow-up modules
After completion of this module, the following modules are ideal to further deepen the participant's competence.
After completion of this module, the following modules are ideal to further deepen the participant's competence.
Ready to achieve mastery?
Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.
Ready to achieve mastery?
Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.
Ready to achieve mastery?
Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.