psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
870a576aa41f4352748d27ff98463e52fb324d9a
ISMS/00-governance/isms-scope-statement.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

4.2 KiB
Raw Blame History

Title: ISMS Scope Statement Document ID: [GOV-ISMS-SCOPE-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

ISMS Scope Statement

Purpose

This document defines the intended scope of BlackDice's Information Security Management System (ISMS). It provides the working boundary for risk management, control selection, governance, and assurance activity.

Scope

The ISMS is intended to cover the people, processes, information, and technology used to design, build, operate, support, and assure BlackDice services within the approved organisational boundary.

The scope is expected to include, where applicable:

  • cloud-native SaaS service delivery activities
  • containerised and Kubernetes-based workloads
  • software engineering, code review, build, release, and CI/CD activities
  • security telemetry processing, monitoring, and operational support
  • supplier-supported services and third-party dependencies relevant to service delivery
  • customer assurance, information handling, and security governance activities

In-Scope Organisational Activities

The following activity groups should be treated as in scope unless explicitly excluded by approved scope decisions:

  • product and platform engineering
  • production operations and service support
  • security operations and incident handling
  • corporate functions handling in-scope information assets
  • supplier management for material service providers
  • internal governance, audit, and management review activities

In-Scope Assets and Information

In-scope assets are expected to include:

  • information used to operate, secure, or support BlackDice services
  • source code, build artefacts, and deployment configurations
  • cloud infrastructure, Kubernetes clusters, and supporting management planes
  • endpoints and collaboration systems used to access in-scope information
  • records generated by the ISMS, including risk, incident, exception, and audit records

Interested Parties and Interfaces

The ISMS should take account of the needs and expectations of relevant interested parties, including:

  • BlackDice personnel and contractors
  • customers and prospective customers
  • key suppliers and service providers
  • regulators and supervisory bodies where applicable
  • external auditors and assurance reviewers

Interfaces with customer-managed or operator-hosted environments must be defined during tailoring so that control responsibilities are clear for SaaS and operator-hosted deployment patterns.

Scope Boundaries and Exclusions

Any exclusions from scope must be explicitly documented, justified, reviewed for risk impact, and approved by [Approval Authority]. Exclusions must not undermine the ability of the ISMS to address material information security risks associated with BlackDice's operating model.

Current exclusions:

  • [No exclusions confirmed]

Assumptions and Constraints

  • Legal, contractual, and regulatory obligations remain subject to confirmation and ongoing review.
  • Roles, system names, and ownership assignments will be completed during tailoring.
  • Shared-responsibility boundaries with customers and suppliers may vary by service model and must be documented where relevant.

Roles and Responsibilities

  • The ISMS owner must maintain this scope statement.
  • Process and system owners must identify assets and activities that fall within the approved scope.
  • Management must review proposed scope changes where business, technology, or supplier arrangements materially change.

Monitoring and Review

This scope statement should be reviewed at least annually and when significant changes occur, including:

  • new products or service lines
  • material changes to hosting or deployment models
  • mergers, acquisitions, or organisational restructuring
  • major supplier changes
  • significant regulatory or contractual changes

Related Documents

  • Information Security Policy
  • ISMS Manual
  • Risk Assessment and Treatment Methodology
  • Statement of Applicability Template

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink