ISO 27001 Scope Statement
In this guide, you will learn what an ISO 27001 Scope Statement is, how to write it yourself and I give you a template you can download and use right away.
ISO 27001 Scope Statement Builder
A basic AI-Ready Interactive ISO 27001 Scope Statement Builder to kick start your ISO 27001 Scope Document Template.
Interactive ISO 27001 Scope Statement Builder
Enter your organisational details below to generate a professionally formatted draft for your Scope Statement (Clause 4.3).
Table of contents
- ISO 27001 Scope Statement
- ISO 27001 Scope Statement Builder
- What is an ISO 27001 Scope Statement?
- What is ISO 27001 Scope?
- ISO 27001 Scope Examples
- ISO 27001 Scope Statement vs Document Comparison
- How to write an ISO 27001 Scope Statement
- Management Review Checklist for ISMS Scope Approval
- Climate Change Impact on ISO 27001 Scoping
- ISO 27001 Scope Statement Examples
- ISO 27001 Scope Statement Template
- Scope Creep
- Watch the Video
- The Distinction: ISMS Scope vs. Statement of Applicability (SoA)
- Aligning ISO 27001, 9001 and 14001 Scope
- ISO 27001 Shared Responsibility Model: Interface Mapping
- ISO 27001 Scope Revision Trigger
- Auditor Cheat Sheet: ISO 27001 Scope Statement
- Comparison: ISO 27001 Toolkit vs Online SaaS Platforms for Scope Statements
- Scoping for Regulated Industries
- ISO 27001 Shadow IT Scoping Matrix
- If It’s In-Scope, Does Every ISO 27001 Control Apply?
- Cloud-Native Scoping & Demarcation Points
- Regulatory Scoping: NIS2, EU AI Act, and DORA
- ISO 27001 Remote Workforce Scoping
- ISO 27001 Scope Statement FAQ
What is an ISO 27001 Scope Statement?
The ISO 27001 Scope statement is the statement that will appear on your ISO 27001 certificate. It is the public document that you share with customers and potential customers. They will use this information to assess if the ISO 27001 certificate covers what they are buying from you and therefore if they can place reliance on it for their needs.
The scope statement shows which parts of your business are certified and it shows them that you are doing the right thing for information security.
If the ISO 27001 scope statement does not cover the products or services that they are buying from you then they cannot place reliance on it and it will not be valid for them.
Consider an extreme example where your ISO 27001 scope statement covers the company stationary cupboard (I know, I know, it is an example) and the customer is buying an online SAAS Platform from you. Does the fact that you have ISO 27001 certification for your stationary cupboard give them assurances that the online SAAS Platform is secure and managed to the standard of ISO 27001?
If you are struggling with this one, let me help you, the answer is no.
What is ISO 27001 Scope?
ISO 27001 scope is the scope of the information security management system.
We are going to build an information security management system with the information security policies and apply it to something to get ISO 27001 certified.
The ‘something’ that we are going to apply it to is the scope.
We document the scope in an ISO 27001 Scope Statement.
| Organisation Type | Strategic Importance | Scope Content Examples |
|---|---|---|
| Small Businesses | Critical for building trust and securing contracts with larger enterprise clients who require proof of security posture. | Specific customer-facing SaaS platforms, managed services, or the physical boundaries of a single head office. |
| Tech Startups | Essential for venture capital due diligence, protecting intellectual property, and establishing a scalable security foundation. | Core product development teams, primary cloud infrastructure (AWS/Azure/GCP), and the secure software development lifecycle (SSDLC). |
| AI Companies | Vital for validating data integrity, ensuring the ethical use of training datasets, and meeting emerging AI-specific regulations. | AI model training environments, proprietary algorithm data sets, and processes governing data subject privacy and consent. |
ISO 27001 Scope Examples
When considering the what of ISO 27001 scope we can look at examples where we might want to apply the standard and gain ISO 27001 certification.
Common examples include
- A Product: Focus the ISMS and certification on a specific software or hardware product line to provide robust security assurance to end-users.
- A Service: Apply the standard to a particular service offering to ensure data protection and operational resilience for client-facing activities.
- A Location: Define the scope by the physical boundaries of a single office or site where specific high-risk operations are conducted.
- A Geography: Set the boundaries of the management system based on a specific region or territory to align with local jurisdictional requirements.
- A Team: Scope the certification to a high-performing group, such as an engineering team, to secure critical internal development workflows.
- A Department: Formalise the security boundaries for an entire functional area, such as IT or Operations, to manage department-specific risks.
ISO 27001 Scope Statement vs Document Comparison
The Distinction: Scope Statement vs. Scope Document
A common audit failure in 2026 is providing the auditor with a brief Scope Statement when they requested the Scope Document. While the statement is public-facing, the document is an internal technical blueprint required by Clause 4.3.
| Feature | Scope Statement (Public) | Scope Document (Internal) |
|---|---|---|
| Purpose | Printed on your ISO 27001 certificate for clients to see. | Defines the technical and physical boundaries for the audit. |
| Detail Level | High-level summary of products and services. | Granular lists of assets, IAM roles, and network segments. |
| Visuals | Text only. | Includes architecture diagrams and logical network maps. |
| Audit Use | Verification of the certificate’s reach. | Evidence of “Determining the Scope” (Clause 4.3). |
How to write an ISO 27001 Scope Statement
The scope for ISO 27001 is going to be based on two things:
- the products and services you offer
- which of those products and services your customers expect to be certified
To implement ISO 27001 Clause 4.3 effectively, you must define the precise boundaries of your Information Security Management System (ISMS). This involves inventorying products, auditing stakeholder requirements, and mapping the technical landscape to ensure security efforts are focused on high-value assets and customer expectations.
Step 1: Provision a Business Service Inventory
Action: Provision a comprehensive list of all organisational products and services using the specific terminology recognised and used by your customers. Result: A technical baseline of business offerings that allows for the accurate identification of the digital assets requiring protection.
Step 2: Define High-Value Certification Targets
Action: Analyse customer feedback, existing contracts, and sales team insights to choose the specific products that require certification. Result: A resource-efficient scope that focuses security efforts on necessary business units, which minimises documentation workload and reduces implementation costs.
Step 3: Identify Personnel, Technology, and Premises
Action: List the specific departments, technical infrastructure (such as IAM roles or cloud instances), and physical locations that deliver the chosen services. Result: Technical clarity on the human and physical resources that reside within the formal Information Security Management System (ISMS) boundary.
Step 4: Compose the ISO 27001 Scope Statement
Action: Compose a concise, formal statement that explicitly names the services, people, technology, and locations included in the certification. Result: A clear public-facing declaration that defines the precise reach of your security management system for auditors and clients.
Step 5: Formalise In-Scope and Out-of-Scope Details
Action: Formalise a detailed Scope Document that specifically encompasses systems in use, departments involved, and a justified list of exclusions. Result: A robust internal resource supported by architecture diagrams and network maps that clarifies absolute security boundaries for audit evidence.
Management Review Checklist for ISMS Scope Approval
To secure the formal management approval required in Step 5, you must present your ISMS Scope to senior leadership within a documented Management Review Meeting. Auditors will specifically look for these minutes to verify that the scope is not just an IT decision, but a strategic business one.
Use this checklist to ensure your management review meeting captures the specific evidence required for ISO 27001 Clause 4.3 and Clause 9.3 compliance.
- Verify Strategic Alignment: Confirm that the chosen scope (products and services) aligns with the current business strategy and risk appetite for 2026.
- Validate Resource Allocation: Ensure leadership has committed the budget, personnel, and technology required to maintain security within the defined boundaries.
- Review Technical Exclusions: Formally review and approve the justification for any excluded departments or Annex A controls to ensure no “blind spots” exist.
- Audit Stakeholder Needs: Confirm that all security requirements from customer contracts and regulators identified in Clause 4.2 are fully encompassed by the scope.
- Record Formal Sign-off: Ensure the meeting minutes explicitly state: “The ISMS Scope (Version X) was reviewed and approved by the board on [Date].”
Climate Change Impact on ISO 27001 Scoping
Climate Action & ISMS Scoping (Amendment 1)
Per the 2024 ISO 27001 Amendments, you must determine if climate change is a relevant issue. In the context of Clause 4.3, this means evaluating if environmental risks dictate the physical or logical boundaries of your certification.
| Climate Factor (4.1) | Impact on Scope (4.3) | Required Audit Evidence |
|---|---|---|
| Extreme Weather Risks | Specific physical office sites or legacy data centres may be excluded or isolated due to high-risk flood or heat zones. | Exclusion justification in the Scope Document citing environmental risk assessment. |
| Sustainability Mandates | Scope expands to include the Secure Disposal (Annex A 7.14) of hardware via green-certified e-waste partners. | Inclusion of third-party recycling interfaces in the dependency map. |
| Geographical Resilience | Scope shifts toward Multi-Region Cloud Redundancy to mitigate localized environmental outages. | Logical boundary map showing failover data centre locations. |
Lead Auditor Tip: If your Context Analysis (4.1) concludes that climate change is not a relevant issue for your business, your Scope Statement does not need to change. However, you must document that this determination was made. An auditor will ask: “How did your 4.1 climate review affect the boundaries defined in 4.3?” Be ready with a clear answer.
ISO 27001 Scope Statement Examples
| Entity Type | Example Scope Statement Text | Implementation Guidance |
|---|---|---|
| High Table (Specialist) | Information security consultancy and virtual chief information security officer services in accordance with the statement of applicability version 2. | Focuses on the specific service delivery and the Statement of Applicability version control. |
| General Business | The scope encompasses all employees, locations, technology, data assets and business processes that deliver [List the products and services in scope] in accordance with the statement of applicability version [version number]. | A broad baseline requiring the itemisation of products, services, and technical infrastructure. |
| Template Reference | Reusable framework available via the ISO 27001 Scope Document template. | Best for organisations needing a pre-populated structure to ensure Clause 4.3 audit compliance. |
A great ISO 27001 scope example is provided in the ISO 27001 Scope Document template and can be readily reused and adapted for your needs.
ISO 27001 Scope Statement Template
Doing so many ISO 27001 certifications over the years led to the creation of the ISO 27001 Scope Document Template that people can use as part of their own ISO 27001 certification.
Scope Creep
This section addresses the most significant operational risk during an ISO 27001 project: Scope Creep. For CEOs and business owners, an undefined boundary is the primary cause of budget overruns (often exceeding 30-50% of the initial estimate) and audit failure. By formalising your “Out-of-Scope” list with technical justifications, you create an auditor-defensible barrier that protects your timeline and resources.
How to Prevent ISO 27001 Scope Creep: A Guide for CEOs
Preventing scope creep is not about avoiding security; it is about ensuring your certification boundaries match your business liabilities. Auditors naturally explore technical interfaces, and without a rigid, board-approved scope document, a 4-day audit can easily spiral into a 6-day investigation into non-critical systems.
- Define a Minimum Viable Scope (MVS): Action: Identify the specific “Revenue-Generating Assets” your customers require to be certified. Result: A focused ISMS that excludes low-risk back-office functions, reducing documentation volume by up to 40%.
- Formalise a Documented Exclusion Register: Action: List every department, site, or system NOT included in the ISMS and provide a technical justification for each. Result: A pre-emptive defense that stops auditors from “drilling down” into unvetted areas during the Stage 1 assessment.
- Establish Audit Rules of Engagement (RoE): Action: Provision a formal RoE document for the auditor that explicitly states the technical boundaries. Result: Prevention of “Tangent Auditing” where investigators follow data flows into third-party or out-of-scope environments.
- Enforce a Pre-Audit Change Freeze: Action: Revoke the ability to add new systems or services to the ISMS 60 days before the external audit. Result: A stable environment where the documentation matches the actual practices, eliminating last-minute “compliance gaps.”
- Appoint a Single Point of Contact (SPOC): Action: Designate a “Scope Gatekeeper” who is the only individual authorised to provide evidence to the auditor. Result: Elimination of “accidental scope expansion” caused by staff providing evidence for systems that are technically out of scope.
Lead Auditor Tip: If an auditor asks to see evidence for a system you consider out of scope, do not just say “no.” Refer them to your Clause 4.3 Scope Document and point to the Justified Exclusion section. In 2026, a justified “No” is a sign of management maturity, not a lack of compliance.
Watch the Video
To watch a video of how to implement ISO 27001 scope and write an ISO 27001 scope statement watch the tutorial – Determining the Scope of the Information Security Management System.
The Distinction: ISMS Scope vs. Statement of Applicability (SoA)
A common mistake in 2026 is confusing the Scope Statement (Clause 4.3) with the Statement of Applicability (Clause 6.1.3). As a Lead Auditor, I define the difference simply: The Scope is the ‘What’ (your business boundaries), while the SoA is the ‘How’ (the specific controls applied within those boundaries).
| Asset/Function | Status | Technical Justification for Auditor |
|---|---|---|
| Physical Data Centres | Excluded | Organisational reliance on 100% Cloud Infrastructure (AWS/Azure). Physical security is managed via the Cloud Provider’s SOC 2/ISO 27001 reports. |
| Software Development | Included | Internal engineering teams maintain proprietary source code. Annex A 8.25 (Secure Development) is mandatory. |
| Off-shore Support | Excluded | Support is outsourced to a third party with a distinct ISMS; interfaces are managed via Clause 4.2 supplier requirements. |
lead Auditor Warning on Automation: While GRC platforms like ISMS.online offer ‘automated scoping,’ these tools often miss logical dependencies between legacy systems and modern APIs. Always verify your automated scope against a manual Network Map to ensure no ‘Shadow IT’ remains outside your ISMS boundary.
Aligning ISO 27001, 9001 and 14001 Scope
This technical guide addresses the strategic alignment of an Integrated Management System (IMS). For organisations seeking multi-standard certification, aligning the ISO 27001 scope with ISO 9001 (Quality) and ISO 14001 (Environmental) is the most effective way to reduce documentation redundancy and audit fatigue.
Integrated Management Systems (IMS): Aligning ISO 27001, 9001, and 14001
Aligning your ISO 27001 scope with other ISO standards is facilitated by Annex SL, the high-level structure shared by all modern ISO management systems. By unifying your Clause 4.3 definitions, you can achieve a 25% reduction in total audit duration and ensure that your security objectives support your quality and environmental goals simultaneously.
| Requirement | ISO 27001 (Security) | ISO 9001 (Quality) | ISO 14001 (Environment) |
|---|---|---|---|
| Strategic Focus | Protecting Confidentiality, Integrity, and Availability of data. | Ensuring consistent quality and customer satisfaction. | Managing environmental impact and sustainability. |
| Scope Boundary | Logical and physical data boundaries; technical assets. | Entire production lifecycle and service delivery. | Physical site boundaries and waste streams. |
| Shared Clause 4.3 | Unified Approach: Define the “Organisational Boundary” once. If the ISO 27001 scope is a subset (e.g. just the IT Dept), explicitly justify this within the IMS Scope Statement. | ||
| Audit Evidence | Statement of Applicability (SoA). | Quality Manual / Process Maps. | Aspects and Impacts Register. |
How to Align Multi-Standard Scopes in 5 Steps
- Step 1: Harmonise Terminology . Action: Use standard Annex SL definitions for “Context,” “Interested Parties,” and “Risks” to ensure all three systems speak the same language. Result: Simplified documentation that is easier for leadership to review.
- Step 2: Create a Unified Context Register . Action: Provision a single register that captures security, quality, and environmental issues in one SWOT/PESTLE analysis. Result: A holistic view of organisational risk that satisfies three auditors at once.
- Step 3: Define Core Physical Boundaries . Action: Formalise the physical locations (offices/data centres) that apply to all standards. Result: Elimination of conflicting site descriptions between your Security and Environmental manuals.
- Step 4: Map Interdependent Interfaces . Action: Identify where security controls (e.g. data destruction) overlap with environmental controls (e.g. e-waste recycling). Result: Technical efficiency where one operational process satisfies multiple ISO requirements.
- Step 5: Conduct an Integrated Management Review . Action: Sign off the scope for all three standards in a single board-level meeting. Result: Documented evidence of top management accountability across the entire IMS.
Lead Auditor Tip: When auditing an IMS, I check if the ISO 27001 scope is nested within the ISO 9001 scope. If you certify your entire company for Quality but only one department for Security, your Scope Statement must clearly define that technical boundary to prevent a non-conformity regarding misleading certification.
ISO 27001 Shared Responsibility Model: Interface Mapping
This technical table focuses on Clause 4.3 (c): “the interfaces and dependencies between activities performed by the organisation and those that are performed by other parties.” For any modern business, documenting the boundary between your responsibility and your cloud provider (AWS, Azure, or GCP) is a mandatory audit requirement to prevent scope gaps.
Cloud Interfaces: Documenting Shared Responsibility (Clause 4.3)
Defining your ISMS scope in 2026 requires a clear mapping of technical interfaces with third-party providers. You must identify exactly where your control ends and the provider’s begins. Use the following table as a baseline for your Shared Responsibility Matrix to satisfy auditor scrutiny during Stage 1.
| Infrastructure Layer | Provider Responsibility (e.g. AWS) | Organisation Responsibility (In-Scope) |
|---|---|---|
| Physical & Facilities | Physical security of data centres, HVAC, and power. | Excluded. Managed via Provider’s ISO 27001/SOC 2 reports. |
| Network Infrastructure | Security of the host, routers, and global cabling. | Included. Network security groups, ACLs, and VPC configurations. |
| Compute & OS | Patching of the virtualization layer. | Included. Guest OS patching, hardening, and Identity Management. |
| Application & Data | N/A (Platform availability only). | Included. Data encryption, classification, and application access controls. |
Lead Auditor Evidence Requirement:
- Service Level Agreements (SLAs): Evidence of formal contracts defining security obligations.
- Third-Party Audit Reports: Evidence that you have reviewed the provider’s ISO 27001 certificate or SOC 2 Type II report.
- Logical Access Map: A diagram showing how data flows across these interfaces (e.g. API connections or site-to-site VPNs).
Lead Auditor Tip: The most common failure in Clause 4.3 is assuming that ‘Cloud-Native’ means ‘Out-of-Scope.’ You must explicitly document the Technical Interface (e.g., the Management Console or API) as an in-scope asset, as its compromise would bypass all other security controls.
ISO 27001 Scope Revision Trigger
2026 Triggers: When Must You Revise Your Scope?
ISO 27001 Clause 4.3 is not a ‘set and forget’ requirement. In 2026, auditors will verify if your scope was updated following these specific triggers:
- Mergers & Acquisitions: Integrating a new business unit requires an immediate logical and physical boundary review.
- AI Deployment: Adopting Generative AI models often moves your logical boundary into third-party LLM environments.
- New Jurisdictions: Opening operations in a new country requires updating your Clause 4.2 Legal Register and physical scope.
Auditor Cheat Sheet: ISO 27001 Scope Statement
This 2026 Auditor Cheat Sheet is designed to prepare your team for the specific technical questioning style of an external certification body. It focuses on the “Evidence of Determination” required for Clause 4.3.
Prepare for your Stage 1 or Stage 2 audit by mastering the answers to these five critical questions. These are the primary “pressure points” auditors use to identify weak ISMS boundaries.
- Auditor Question: “How did you determine the boundaries of your ISMS?”
The Correct Answer: Reference your Scope Document. Explain that you mapped your revenue-generating products, identified customer contractual requirements from Clause 4.2, and analysed the technical interfaces between your internal apps and third-party cloud providers. - Auditor Question: “On what technical grounds did you exclude [Specific Department/Site] from the scope?”
The Correct Answer: Point to your Exclusion Register. State that the excluded entity has no logical access to the in-scope data environment and does not perform activities required to deliver the certified services. - Auditor Question: “How did your Clause 4.1 climate change review impact this scope statement?”
The Correct Answer: State that you evaluated environmental risks to physical assets. If relevant, explain that you moved logical boundaries to Multi-Region Cloud Hosting to mitigate extreme weather outages. If not relevant, show the record of the decision in your context register. - Auditor Question: “Show me the interface where your responsibility ends and your Cloud Provider’s begins.”
The Correct Answer: Present your Shared Responsibility Matrix. Explicitly show the demarcation at the hypervisor or API layer, and provide the evidence that you have reviewed the provider’s ISO 27001 certificate. - Auditor Question: “Why does your Scope Statement refer to SoA Version 2, but your Risk Treatment plan uses Version 3?”
The Correct Answer: This is a trick question regarding Version Control. Ensure all documents are synchronised before the audit. The correct answer must be: “They are currently being aligned as part of our Pre-Audit Change Freeze protocol.”
Comparison: ISO 27001 Toolkit vs Online SaaS Platforms for Scope Statements
| Feature | ISO 27001 Toolkit (High Table) | Online SaaS Platform |
|---|---|---|
| Data Ownership | Permanent Ownership. You download the files and keep them forever. Your strategic security data stays on your infrastructure. | Rented Access. Your data lives on a third-party server. Access to your compliance history is revoked if you stop paying. |
| Simplicity & UX | Zero Learning Curve. Built using Microsoft Word and Excel. Your leadership team already knows how to use these tools daily. | High Friction. Requires extensive staff training to navigate proprietary menus, permissions, and complex dashboard layouts. |
| Total Cost | One-off Investment. Pay once for the complete toolkit with no hidden charges or recurring annual fees. | Subscription Trap. Expensive monthly or annual seats that increase in price as your organisation grows. |
| Vendor Lock-in | Total Freedom. No proprietary formats. You can move, edit, or archive your documents without needing a specific vendor’s permission. | High Lock-in. Exporting data into a usable format for auditors is often difficult, forcing long-term platform dependency. |
Scoping for Regulated Industries
ISO 27001 certification is no longer exclusive to IT. In 2026, regulatory frameworks like NIS2 and DORA have made Clause 4.3 scoping a legal necessity for manufacturing, healthcare, and infrastructure sectors.
| Industry | Critical Boundary Point | Required Audit Evidence |
|---|---|---|
| Healthcare | Electronic Health Record (EHR) logical interfaces. | Traceability of patient data flows (HIPAA/GDPR alignment). |
| Manufacturing | Demarcation between IT and OT (Operational Tech). | Network segregation diagrams showing the “Air Gap.” |
| Legal Services | Privileged Client Document access roles. | RBAC (Role-Based Access Control) matrix for legal staff. |
Lead Auditor Tip: For regulated industries, your Scope Statement must mirror your Legal Register. If you are subject to NIS2 but your scope only covers one office, you will likely face a Major Non-Conformity for “Inadequate Determination of Requirements.”
ISO 27001 Shadow IT Scoping Matrix
Scoping for 2026: The Shadow IT Challenge
A major scoping risk in modern environments is the omission of Shadow IT—unauthorised SaaS applications used by staff outside of IT oversight. To satisfy Clause 4.3, your scope must encompass the Logical Data Flow, regardless of whether the software is officially sanctioned.
| Scenario | In-Scope? | Annex A Applicability |
|---|---|---|
| Shadow AI Tools | YES. If business data is processed, it is logically in-scope. | Mandatory: Annex A 5.10 (Acceptable Use). |
| In-Scope Assets | YES. The primary asset is within the ISMS boundary. | Varies: Only controls identified in the Risk Assessment apply. |
Lead Auditor Tip: Do not mistake ‘In-Scope’ for ‘Every control applies.’ Being in scope means the asset is part of the Management System. You then use your Statement of Applicability (SoA) to define exactly which security controls are necessary to protect it.
If It’s In-Scope, Does Every ISO 27001 Control Apply?
Does Every Control Apply to Everything In-Scope?
The short answer is No. There is a critical distinction between the ISMS Scope (the boundaries of your system) and the Statement of Applicability (SoA) (the specific security controls you choose to implement). Just because an asset is in-scope does not mean you must apply all 93 controls from Annex A to it.
| The Scoping Phase | The Risk Phase | The Result (SoA) |
|---|---|---|
| Defining the Boundary (Clause 4.3) |
Assessing the Asset (Clause 6.1.2) |
Selecting the Control (Clause 6.1.3) |
| “Is this laptop part of the certified product team?” | “What risks face this laptop (Theft, Malware, Data Leak)?” | “We will apply MFA and Encryption, but exclude Physical Perimeter controls.” |
| Outcome: In-Scope | Outcome: Risk Profile Identified | Outcome: Proportionate Security |
3 Key Rules for Control Applicability:
- Risk is the Driver: You only apply a control if your risk assessment identifies a threat that requires that specific mitigation.
- Technical Relevance: If your scope is 100% cloud-based, “Annex A 7.4 Physical security monitoring” is Not Applicable because you have no physical perimeter to monitor.
- Documented Justification: For every control you decide not to apply, you must provide a technical justification in your Statement of Applicability.
Lead Auditor Tip: Auditors don’t want to see you ‘over-controlling’ your environment. In 2026, we look for Proportionate Security. If you claim every control applies to every asset, it tells me you haven’t actually performed a granular risk assessment. The Scope tells me where I can audit; the SoA tells me what I should find there.
Cloud-Native Scoping & Demarcation Points
In a cloud-first world, your ISMS scope is defined by Logical Demarcation Points rather than physical walls. Clause 4.3 (c) requires you to document the interfaces between your activities and those of your cloud provider. Failure to define these “hand-off” points is a primary reason for audit delays and increased certification costs.
| Cloud Model | Demarcation Point (The Boundary) | In-Scope for YOUR ISMS |
|---|---|---|
| SaaS (e.g. M365) | The Application Identity / API Layer | Included: User access, data classification, and backup configurations. |
| PaaS (e.g. Azure SQL) | The Database Configuration / Network ACLs | Included: Encryption settings, connectivity rules, and audit logging. |
| IaaS (e.g. AWS EC2) | The Guest Operating System / Virtual Switch | Included: OS patching, firewall rules, and internal networking. |
ISMS Scope vs. Audit Scope: The 2026 Distinction
People often ask: “Is my ISMS scope the same as my Audit scope?” BLUF: No. Your ISMS Scope is the internal management of all security risks, while the Audit Scope is the specific subset defined on your public certificate. Misaligning these leads to “Certificate Value Gaps” where customers don’t see the services they actually use listed on your ISO 27001 certificate.
Lead Auditor Tip: To prevent “Scope Creep” in cloud environments, use the Data Flow Rule. If your organisation controls the encryption keys or the user access list for a cloud service, that interface is In-Scope. If you assume the provider handles it all, you will fail Clause 4.3 during your Stage 1 audit.
Regulatory Scoping: NIS2, EU AI Act, and DORA
In 2026, ISO 27001 Clause 4.3 must serve as the foundation for your regulatory compliance. An inaccurate scope doesn’t just fail an audit; it can leave you exposed to significant fines under NIS2 or the EU AI Act if critical logical boundaries are omitted.
Lead Auditor Tip: When I review a scope for an enterprise firm, I check if the Legal Register (Clause 4.2) matches the Physical Boundaries (Clause 4.3). If you operate in the EU but exclude your EU-based data processing from the scope, you are creating a massive liability gap that an auditor must report.
Regulatory Scoping: NIS2, EU AI Act, and DORA
In 2026, ISO 27001 Clause 4.3 must serve as the foundation for your regulatory compliance. An inaccurate scope doesn’t just fail an audit; it can leave you exposed to significant fines under NIS2 or the EU AI Act if critical logical boundaries are omitted.
| Scoping Error | Technical Risk | Estimated Financial Impact |
|---|---|---|
| Overly Broad Scope | Audit fatigue; resources wasted on non-critical back-office assets. | +30% to +50% in certification and audit day costs. |
| Missing Logical API Boundaries | Regulatory non-compliance (NIS2/DORA) due to unmanaged third-party risks. | Potential Fines up to 2% of global turnover or €10m. |
| Unjustified Exclusions | Major Non-Conformity (MNC) during Stage 1 audit. | Cost of Re-Audit: £2,000 to £5,000 per attempt. |
Lead Auditor Tip: When I review a scope for an enterprise firm, I check if the Legal Register (Clause 4.2) matches the Physical Boundaries (Clause 4.3). If you operate in the EU but exclude your EU-based data processing from the scope, you are creating a massive liability gap that an auditor must report.
ISO 27001 Remote Workforce Scoping
Scoping the Remote Workforce: Physical vs. Logical
A major scoping debate in 2026 is the inclusion of home offices. BLUF: For most certifications, individual home offices are excluded from the physical scope, but the Endpoint Device is always logically in-scope.
| Asset Type | Scoping Status | Reasoning |
|---|---|---|
| Home/Coworking WiFi | Excluded | Organisational control ends at the VPN/Tunnel layer. |
| Company Laptops | Included | Contains in-scope data and is managed via MDM (Logical Boundary). |
| Head Office / Hub | Included | Physical site where ‘Top Management’ decisions are recorded. |
ISO 27001 Scope Statement FAQ
What is an ISO 27001 Scope Statement?
An ISO 27001 Scope Statement is a mandatory document that defines the physical, organisational, and logical boundaries of your Information Security Management System (ISMS). It explicitly states which assets, locations, and services are covered by your certification to ensure targeted and effective risk management.
What is the purpose of ISO 27001 Clause 4.3?
The purpose of Clause 4.3 is to ensure your ISMS boundaries are accurately defined based on your business context and stakeholder requirements. By accurately narrowing the scope, organisations can reduce implementation costs by up to 40% and focus resources on protecting their most critical data assets.
How do you determine the boundaries of the ISMS?
To determine ISMS boundaries effectively, you should follow a structured four-step process to ensure all technical dependencies are captured:
- List Products and Services: Identify exactly what products and services your customers purchase from you.
- Identify Stakeholder Expectations: Review customer contracts and Clause 4.2 requirements to identify mandatory security obligations.
- Map Physical and Logical Boundaries: Define data centre locations, cloud environments (such as AWS, Azure, or GCP), and physical office sites.
- Review and Approve: Ensure top management formally approves the documented scope to evidence leadership commitment for the audit.
Can you exclude parts of the business from the ISO 27001 scope?
Yes, you can exclude specific departments or locations, provided those exclusions do not affect the organisation’s ability or responsibility to provide information security. Every exclusion must be technically justified and clearly documented within the Statement of Applicability (SoA) to satisfy Stage 1 audit requirements.
How long does it take to define the ISMS scope?
Defining a robust ISMS scope typically takes between 4 and 8 hours for most SMEs when using the High Table ISO 27001 Toolkit. While the final document is often only 2 to 5 pages long, the underlying analysis of third-party interfaces and dependencies is critical for a successful certification.
Who is responsible for the ISO 27001 Scope Statement?
The Information Security Manager is usually responsible for drafting the scope, but Clause 5.1 mandates that Top Management remain accountable for its approval. Auditors require documented evidence, such as management review minutes, proving that leadership has verified the scope against current business objectives.
