Delivering ISO27001 — Part 2 of 4 — ISMS Scope, SOA and Application Letter

Delivering ISO27001 — Part 2 of 4 — ISMS Scope, SOA and Application Letter

Getting the “paperwork” in order is key to the success of your ISO27001 audits. Whilst the ISMS Scope, Application Letter, and SOA feel like a huge amount of work upfront, the process of bringing this information together is going to give you a clear idea of where to focus your efforts. No more Crystal Ball🔮 needed!

Before we get into it, I recommend reading my last post, in which we went over common terminology in relation to ISO27001. I’d recommend grabbing a coffee ☕, and we’ll start by going over what to include within our ISMS Scope.

ISMS Scope

The simplest way to think about the ISMS Scope is that it should be a written definition of the data that you’re trying to protect, and where it lives. Simple right?

Defining what should, and what should not be included within Scope, is written within Clause 4.3 of the ISO27001 standard. If you don’t own a copy of the ISO27001 standard yet, you’re going to need to get yourself a copy. Click here to purchase a copy of the ISO27001 standard.

To make this post easier to follow, I’ve broken the ISMS scope up into three parts. The scope document itself, however, is a single document.

ISMS Scope: Part one

Your ISMS Scope document should start with you outlining your business’s approach to how all data is protected. This includes the treatment of customer data, employee data, and any physical data stored. You should also define the assets which are in scope, which should include laptops, desktop computers, mobile phones, and servers, whether that’s your own hardware, or something hosted in the cloud.

Anything which could be used to view, process, edit, or remove customer data should be considered as within scope (assets, servers, etc), including the office spaces in which business is conducted.

Protip: If you’re a remote-based company, it’s entirely plausible that you won’t have a physical office space, and this part of the ISO27001 standard, will be out of scope. Don’t get complacent though! Not having a physical office space means that endpoint protection must be robust, hardware must be encrypted and any connection to data must be to the highest security protocols.

ISMS Scope: Part two

In the next part of the ISMS scope, we define what the company will do to meet the ISO27001 standard. This typically takes the form of a list of process which you have implemented, to meet the ISO27001 standard. Some examples of the things you might do are;

  • Conduct ongoing security awareness training for your employees
  • Manage, record and mitigate risks
  • Disclose appropriate policies with interested parties
  • Set out how you’ll manage incidents and so on.

You should also disclose all in scope physical locations, and the number of in-scope employees in this part of the ISMS scope.

ISMS Scope: Part three

In the last part of the ISMS scope, we document interested parties, 3rd party vendors, and a summary of policies within your ISMS.

Interested parties are those whose data you hold and process, to whom you are legally answerable, or you are dependant on for the delivery of your services. In the UK, a good example of an interested party is the Information Commissioners Office or UK Action Fraud.

You will also need to list out all 3rd Party Vendors on which you are reliant for delivery of services. This could be a managed IT Service, Hosting services, telephony providers, and the such.

Finally, we need to provide a summary of the policies which go into composing your ISMS, and how often, and by whom, the policies are reviewed and updated. This only needs to be a couple of sentances.


Next up, we will look into the most time consuming (in my experience) part of this ISO27001 preparation phase, the SOA. SOA stands for Statement of Applicability and is the definition of which of the ISO27001 controls and policies apply to your business. The SOA doesn’t have to be completed for Stage 1 of your ISO27001 audit but must be complete by the Stage 2 Audit.

The SOA will display to the auditor, which of the 114 controls outlined in Annex A of the ISO27001 standard apply to your business, why they do (or don’t apply), how you implement and govern those controls, as well as any additional information in relation to those controls.

In my experience, the SOA is a great way to identify gaps within your ISMS. It forces you to identify every single control, and evaluate whether you are suitably implementing that control, or not. If not, that control goes on your to-do list to get done ahead of your ISO27001 audit.

Application Letter

When you are ready to go for your audit, you’ll need to do two things.

  1. Select an auditing company
  2. Prepare your application letter

The application letter outlines your intention to undertake an audit for the purposes of ISO27001 certification. We need to include the following information in the Application Letter;

  • Your ISMS Scope
  • Which services are being audited
  • Which physical locations are being audited
  • Which legal, regulatory or contractual obligations are in place
  • Which departments are included within scope for auditing (These are typically people will access to data)
  • Which vendors are utilised for processing, managing or storing data
  • Whether you’ve used an outside consulting service to assist in the implementation of your ISMS
  • Additional information in relation to business activities, working practices, legal requirements, geographical or cultural aspects, outstanding risks, and/or information security incidents.

Now that we have all of that wonderful information, we understand so much more! We know the boundaries of what will and won’t be audited, we know who is in, and who isn’t in scope come audit time. Possibly most importantly, however, we know where the weaknesses within our ISMS are, and we know where we need to focus our attention, in order for ISO27001 completion. 💃

As promised, you can download free templates for the ISMS Scope, SOA, and the Application Letter here.

Next up, we’re going to be getting into the meat of ISO27001 compliance. We’ll be looking at the ISO27001 policies and controls, what good looks like, and some tips, from my experience, for success. 💪