ISO 27001 • ISMS Scope • MSPs
Defining Your ISMS Scope: The First Step to ISO 27001 Success for MSPs
Setting Boundaries That Build Trust and Compliance
For Managed Service Providers (MSPs), information security isn’t just a technical goal it’s a contractual responsibility. Every client relies on you to protect their networks, data, and systems. But before your first control is designed or your first audit scheduled, ISO 27001 requires one crucial foundation: defining your ISMS scope.
Your Information Security Management System (ISMS) Scope establishes the boundaries of your cybersecurity universe where your responsibilities begin, end, and how external relationships (like cloud providers, clients, and subcontractors) are managed.
At Canadian Cyber, our ISMS Scope Template (CC-ISMS-001) helps MSPs define that universe clearly covering sites, systems, information assets, and supplier interfaces in full compliance with ISO/IEC 27001:2022 Clause 4.3 and ISO/IEC 27006-1:2024 certification requirements.
Why Defining ISMS Scope Matters for MSPs
A poorly defined scope is one of the top reasons ISO 27001 implementations fail audits. MSPs often manage multi-tenant infrastructures, hybrid environments, and multiple client networks. Without a defined ISMS boundary, you risk:
- Missing critical assets or cloud environments in your security coverage
- Over-extending the ISMS to areas outside your control
- Confusion about who is responsible for protecting which systems
- Gaps in supplier management or client data protection obligations
A well-crafted ISMS Scope ensures you:
- Protect all information assets you truly control
- Include all relevant physical and cloud locations
- Identify supplier dependencies and interfaces
- Align your Statement of Applicability (SoA) and risk treatment plans with real-world operations
It’s the blueprint auditors look for first and the foundation every MSP should get right.
Building Your ISMS Scope Using the CC-ISMS-001 Template
The CC-ISMS-001 template from Canadian Cyber follows ISO 27001’s lifecycle precisely, ensuring your ISMS scope is clear, justified, and audit-ready.
It defines how to identify internal and external issues, map systems, classify interfaces, specify inclusions and exclusions, and link documentation to your SoA and risk register.
🧾 Sample ISMS Scope Document
(Based on the Canadian Cyber CC-ISMS-001 Template)
| Field | Details |
|---|---|
| Document Title | ISMS Scope |
| Document Number | MS-ISMS-001 |
| Version | 2.0 |
| Date | October 2025 |
| Company | Maple Shield IT Services Inc. |
| Classification | Confidential |
1. Purpose
This document defines the boundaries and applicability of Maple Shield’s ISMS, in accordance with ISO/IEC 27001:2022 Clause 4.3. It establishes the scope for certification, outlines included sites, systems, and services, and defines interfaces with third-party providers and clients.
2. Scope
2.1 Organizational Context
Legal Entity: Maple Shield IT Services Inc., a Canadian MSP headquartered in Toronto, Ontario, serving SMBs nationwide.
Operating Model: Hybrid on-premises and cloud operations supporting 24×7 client IT management and cybersecurity monitoring services.
Certification Objective: ISO/IEC 27001:2022 certification covering corporate, operational, and cloud-hosted environments where information security activities occur.
2.2 Included Locations
- Head Office: Toronto, ON Management, NOC/SOC, HR, Finance
- Data Center Colocation: Mississauga, ON Client hosting and backup infrastructure
- Remote Staff: Canada-wide Securely managed laptops and VPN access
- Cloud Environments: Microsoft 365 and AWS accounts supporting monitoring and ticketing applications
2.3 Included Processes & Information
- Service delivery for managed IT and security operations
- Core ISMS functions: risk management, incident response, access control, business continuity
- Supporting functions: HR, Finance, Legal, Procurement
- Information assets: client network data, system credentials, audit logs, employee data, contracts
2.4 Technical Scope
- On-premises: AD, ticketing, SIEM, backup, and network appliances
- Cloud/SaaS: Microsoft 365, AWS workloads, SOC automation tools
- Endpoints: corporate laptops with EDR protection
- Networks: corporate LAN/WAN, VPN, secure remote connections
2.5 Interfaces & Dependencies
- Cloud providers (Microsoft, AWS)
- Managed security and vendor tools
- Client environments under MSP agreements
- Telecom providers and data centers
2.6 Exclusions
Activities unrelated to IT managed services (e.g., personal employee devices) are excluded with justification in the Statement of Applicability (CC-ISMS-006).
3. References
- ISO/IEC 27001:2022 Clauses 4.1–4.3, 7.5.3
- ISO/IEC 27002:2022 5.31 (Legal & Contractual Requirements)
- ISO/IEC 27006-1:2024 9.1.3.6 (Scope & Interfaces)
- CC-ISMS-003 Risk Assessment Methodology
- CC-ISMS-004 Risk Register & Treatment Plan
- CC-ISMS-006 Statement of Applicability
- CC-ISMS-008 Internal Audit Program & Reports
4. Definitions & Acronyms
- ISMS: Information Security Management System
- MSP/MSSP: Managed (Security) Service Provider
- SoA: Statement of Applicability
- CSP: Cloud Service Provider
5. Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Top Management | Approves scope and ensures strategic alignment. |
| ISMS Manager | Maintains document and coordinates scope reviews. |
| Process Owners | Identify in-scope assets and interfaces. |
| Procurement/Legal | Ensure supplier contracts meet ISO 27001 controls. |
| Internal Audit | Verifies scope during audits and reviews. |
6. Policy & Procedure Highlights
- Identify internal/external issues affecting ISMS outcomes.
- Define boundaries and applicability with suppliers and clients.
- Include remote and cloud operations explicitly.
- Review scope annually or upon major change.
- Link to the latest SoA (CC-ISMS-006).
7. Compliance Mapping
- ISO 27001 Clause 4.3 — Defining ISMS boundaries & applicability
- Clauses 4.1–4.2 — Context & interested parties
- ISO 27006-1 Section 9.1.3.6 — Interfaces & dependencies
- ISO 27002 Control 5.31 — Legal & contractual requirements
8. Continuous Improvement
Maple Shield reviews its ISMS scope annually and whenever major changes occur. Scope updates follow controlled document change procedures and are approved by Top Management.
Why This Example Works
This sample shows how a well-defined ISMS scope keeps an MSP’s ISO 27001 system focused and audit-ready.
- Aligns scope with services actually delivered
- Documents dependencies and supplier interfaces
- Prevents overreach or gaps in coverage
- Ensures clear responsibility for each location and system
How Canadian Cyber Helps MSPs Define Their ISMS Scope
- ISMS Scope Template (CC-ISMS-001) customized for MSP operations
- Statement of Applicability & Risk Register Integration
- Supplier & Cloud Dependency Mapping
- Virtual CISO (vCISO) Implementation Support
- Audit Preparation & Readiness Assessments
We ensure your scope isn’t just compliant it’s comprehensive and credible.
Ready to Define Your ISO 27001-Compliant ISMS Scope?
Your scope is the foundation of your ISMS. Let’s build it right the first time.
Connect with Canadian Cyber
Canadian Cyber Defining Scope, Building Trust, and Securing Your Path to ISO 27001 Success.
