Browse Skills

ISMS Scope Statement (ISO 27001 Clause 4.3)

    Compliance Security ISO 27001 ISMS Scope
    Get Started with This Skill

    Overview

    Define and validate the ISMS scope boundaries (physical, organizational, technical) with justified exclusions and no Shadow IT gaps. Includes boundary integrity checker and exclusion logic validator for audit-ready scope statements.

    Example Conversation

    You: We’re preparing for our ISO 27001 surveillance audit. I have a scope document and our org chart and system list. I need to make sure nothing is left out of scope without justification and that exclusions are defensible.

    Agent: I’ll run the boundary integrity checker using your scope document, org chart, and network map. That will flag any department or system that appears in your org/network but isn’t in scope or in exclusions — potential Shadow IT or scope gap. Then I’ll run the exclusion logic validator to ensure every exclusion has a rigorous security justification, especially for any core business services.

    Agent: Running boundary_integrity_checker

    Agent: Boundary Integrity Checker — two findings: [WARNING] Department “Marketing” and system “Legacy CRM” appear in org/network but are not in scope or exclusions. I’ve added them to the scope document as exclusions with a placeholder justification. Please replace the placeholder with your actual risk assessment or management approval. Running exclusion_logic_validator next.

    You: I’ve filled in the justification for Marketing and Legacy CRM. Our core business services are in core_services.txt. Run the exclusion validator again.

    Agent: Running exclusion_logic_validator with your scope document and core_services.txt…

    Agent: Exclusion Logic Validator — RESULT: Exclusions appear to have adequate justifications. No errors; the scope is ready for audit from an exclusion-logic perspective.

    What the Tools Validate

    The skill includes two extension tools that run against the scope document (JSON with in_scope and exclusions):

    boundary_integrity_checker ensures no departments or systems are left unaddressed (potential Shadow IT):

    • Accepts the scope document path plus optional paths to an org chart JSON (departments) and network map JSON (systems)
    • Compares every department and system in those files to the scope: each must appear either in in_scope or in exclusions
    • Reports WARNING for each entity that is neither in scope nor excluded — indicating a boundary gap or Shadow IT that auditors may question
    • Use when drafting or revising the scope and when you have org chart and/or network inventory so the declared boundary matches reality

    exclusion_logic_validator ensures exclusions have rigorous security justifications (a common cause of audit failure):

    • Accepts the scope document path and an optional path to a core business services list (JSON array or one per line)
    • For each exclusion, checks that the justification is substantive (length and keywords such as risk, assessment, approved, documented, residual risk)
    • For exclusions that match the core business services list, requires a strong justification; otherwise reports ERROR (audit risk)
    • For other exclusions with weak or missing justification, reports WARNING
    • Use before finalising the scope so every exclusion is defensible to auditors

    Output Excerpt

    A scope document (JSON) and a short narrative excerpt that the agent can produce and then validate with the tools:

    Scope document (excerpt):

    {
  "in_scope": [
    "IT Department",
    "HR Department",
    "Customer-facing application (App X)",
    "Data center DC1"
  ],
  "exclusions": [
    {
      "item": "Legacy system Y (decommissioning Q3 2026)",
      "justification": "Excluded per risk assessment 2025-01; residual risk accepted by CISO and documented in risk register. System is network-isolated and scheduled for decommissioning; no handling of in-scope information."
    }
  ]
}

    Scope Statement narrative (excerpt):

    ## 2. Organizational and technical boundaries

The ISMS covers the following organizational units and supporting technology: IT Department, HR Department; systems include the customer-facing application (App X) and the primary data center DC1. Third-party hosting for App X is documented in the interface register (ref. Interface Register v2.1).

## 3. Exclusions and justification

The following are explicitly excluded from the scope:

- **Legacy system Y (decommissioning Q3 2026):** Excluded per risk assessment 2025-01; residual risk accepted by CISO and documented in risk register. System is network-isolated and scheduled for decommissioning; no handling of in-scope information.

All exclusions have been validated for justification adequacy via the exclusion logic validator. Scope and exclusions are reviewed quarterly and after material changes to organization or systems.

    Run boundary_integrity_checker and exclusion_logic_validator on the scope document to confirm boundary consistency and defensible exclusions before submission.

    Getting Started

    Add your source materials (scope document, org chart, network map, and optionally a core business services list) to the project workspace, then activate the ISMS Scope Statement (ISO 27001 Clause 4.3) skill. The agent will guide you through defining boundaries, justifying exclusions, and validating with both tools until the scope is audit-ready.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started