Scope

26/09/2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

The ISO 27001 Scope is a specific, written description that defines the boundaries of an organisation’s Information Security Management System (ISMS). Think of it as drawing a clear line around the people, processes, technology, and locations that the ISO 27001 standard will cover. Everything inside the scope is included in the security system, and everything outside is not. Having a clear scope is the very first step in implementing ISO 27001 because it tells you exactly what needs to be protected and managed.

Examples

  • Small Scope: “The ISMS scope covers the development and support of our cloud-based customer portal, including the IT infrastructure located at the corporate headquarters.” This focuses only on one product and one location.
  • Large Scope: “The ISMS scope covers all IT systems, personnel, physical facilities, and business processes supporting the services offered by the entire company, as documented in the company organizational chart and process maps.” This includes almost everything the company does.

ISO 27001 Context

Setting the scope is important because it ensures the ISMS is relevant and manageable. It must consider the organisation’s business needs, legal requirements, and security risks. You must clearly document the scope, including what’s included and any justified exclusions (things intentionally left out). This documentation must be maintained and made available for review, especially during the ISO 27001 certification audit. A scope that’s too wide can be overwhelming and costly, while a scope that’s too narrow might miss critical areas that need security.

Relevant ISO 27001 Controls

The main ISO 27001 Clause for ISO 27001 scope is ISO 27001:2022 Clause 4.3: Determining The Scope Of The Information Security Management System

While defining the scope is part of Clause 4 of the main standard, it sets the stage for which controls from Annex A you must consider applying. Since the scope defines the boundaries for the entire ISMS, all Annex A controls are potentially relevant, but the most directly related control for establishing the boundary is:

Note: The scope itself is primarily required by Clause 4.3, which is a requirement before applying the specific Annex A controls.

Further Reading

How to Define ISO 27001 Scope with Examples and Template

ISO 27001 Scope Statement Beginner’s Guide

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.