At this point, you should start winding down Stage 2 by creating the high-level plans and documents that will dictate the implementation and management of your cybersecurity program. The best place to start is by drafting a master Scope Statement for your business cybersecurity program. The scope statement is a basic summary of the objectives and reach of the cybersecurity program. Make sure to clearly hit on the following topics in the scope statement:

  1. The security objectives of the program
  2. What areas of security are covered – Just cyber? Or are physical security and personnel security included?
  3. What data is covered – Are you only securing digital records in your program? Or are you implementing controls for paper records as well?
  4. The areas of your organization covered by the cybersecurity program. Does it only cover on-site employees and facilities, or does it extend to remote workers and environments? What about cloud environments?

Your Scope Statement only needs to be a sentence or two long. Its effectiveness is all in the wording. Even though you may be tempted to just spit out the statement and move on to other plans, try to run it by the Steering Committee first to get secondary opinions on its wording and completeness.

Example Statements

The cybersecurity program is responsible for ensuring the Confidentiality, Integrity, and Availability of Bryant Realty's systems and data. It covers company data in both physical and digital forms, from initial processing to destruction. All information systems and identities managed by Bryant Realty are required to comply with the cybersecurity program regardless of location.

The cybersecurity program is responsible for ensuring the Confidentiality, Integrity, and Availability of all digital data processed, transmitted, and stored by Keegan's Crafts, LLC, both on the company premises and within company-managed cloud environments.