Scope is a documented description defining the physical and logical boundaries of an organisation’s ISMS under ISO 27001 Clause 4.3. The provision of an organisational boundary assessment is the primary implementation requirement, delivering the business benefit of verified asset protection and focused security management resources.
What is Scope?
The ISO 27001 Scope is a specific, written description that defines the boundaries of an organisation’s Information Security Management System (ISMS). Think of it as drawing a clear line around the people, processes, technology, and locations that the ISO 27001 standard will cover. Everything inside the scope is included in the security system, and everything outside is not. Having a clear scope is the very first step in implementing ISO 27001 because it tells you exactly what needs to be protected and managed.
Examples
- Small Scope: “The ISMS scope covers the development and support of our cloud-based customer portal, including the IT infrastructure located at the corporate headquarters.” This focuses only on one product and one location.
- Large Scope: “The ISMS scope covers all IT systems, personnel, physical facilities, and business processes supporting the services offered by the entire company, as documented in the company organizational chart and process maps.” This includes almost everything the company does.
ISO 27001 Context
Setting the scope is important because it ensures the ISMS is relevant and manageable. It must consider the organisation’s business needs, legal requirements, and security risks. You must clearly document the scope, including what’s included and any justified exclusions (things intentionally left out). This documentation must be maintained and made available for review, especially during the ISO 27001 certification audit. A scope that’s too wide can be overwhelming and costly, while a scope that’s too narrow might miss critical areas that need security.
How to implement Scope
Defining the scope of your Information Security Management System (ISMS) is the most critical step in your ISO 27001 journey. As a Lead Auditor, I have seen many organisations fail their technical audits because their scope was either too broad to manage or too narrow to protect high-risk data. Under Clause 4.3, you must precisely define your boundaries, considering internal issues, external requirements, and the technical interfaces between your business and third parties. This 10-step guide ensures you formalise a citable, compliant scope statement that satisfies UKAS auditors and provides 100% clarity on your security perimeter.
1. Provision an Organisational Boundary Assessment
Identify every legal entity, department, and business unit to be included in the ISMS: This ensures that 100% of relevant organisational structures are accounted for before technical work begins. Key requirements include:
- Documenting the legal names of all entities within the certification boundary.
- Identifying business functions that share common technical infrastructure.
- Setting the foundational organisational context required for Clause 4.1.
2. Audit Physical and Virtual Locations
Audit all geographic sites, data centres, and cloud environments where organisational data is processed: You cannot protect data in locations that have not been identified. Technical actions include:
- Mapping physical office locations and remote working technical requirements.
- Identifying all Cloud Service Providers (CSPs) and SaaS platforms in use.
- Documenting the logical boundaries of virtualised network segments.
3. Formalise Interested Party Requirements
Provision a review of Clause 4.2 to identify the security expectations of customers, regulators, and partners: This ensures the scope covers 100% of your contractual and legal obligations. Requirements involve:
- Extracting security clauses from existing supplier and client agreements.
- Identifying mandatory regulatory frameworks such as GDPR or NIS2.
- Aligning the scope boundary with stakeholder data protection needs.
4. Provision a Technical Interface Map
Formalise a map of all interfaces and dependencies between the organisation and external third parties: This identifies technical “hand-off” points where security responsibility shifts. Key actions include:
- Documenting API connections and dedicated network tunnels.
- Identifying managed service providers (MSPs) with administrative access.
- Defining the technical boundaries of the “internal” network.
5. Identify and Justify Exclusions
Audit business processes to identify areas that will be excluded from the ISMS and provide a technical justification: Exclusions must not impact the organisation’s ability to provide secure services. Implementation steps involve:
- Documenting why specific departments or systems are outside the boundary.
- Verifying that excluded areas do not process sensitive customer PII.
- Ensuring exclusions are clearly citable within the final scope statement.
6. Formalise the Documented Scope Statement
Provision the final “Scope of the ISMS” as documented information to satisfy Clause 4.3: This citable record is the primary evidence requested by auditors during a Stage 1 audit. Technical requirements include:
- Writing a concise paragraph that defines what the organisation does and where.
- Listing all included locations and technical platforms.
- Ensuring the document is version-controlled and centrally accessible.
7. Audit Legal and Regulatory Alignment
Revoke any scoping assumptions that conflict with mandatory jurisdictional laws: This ensures the ISMS boundary does not bypass local data residency or privacy requirements. Necessary actions include:
- Cross-referencing the scope statement against the Legal Register.
- Verifying that 100% of high-risk data processing is within the audit boundary.
- Updating the Statement of Applicability (SoA) to reflect scoped technical controls.
8. Provision Senior Management Sign-off
Formalise executive approval of the scope boundary to ensure resource allocation and accountability: Without management sign-off, the scope is not technically valid for certification. Audit evidence includes:
- Documenting scope approval in management review meeting minutes.
- Securing a signed authorisation from the C-Suite or Board.
- Confirming that the scope aligns with the strategic business direction.
9. Communicate Scope to Internal Stakeholders
Provision internal briefings to ensure all staff understand whether they operate within the ISMS boundary: This ensures that IAM roles and security policies are applied correctly. Technical actions include:
- Updating the security awareness training to reflect scoped departments.
- Linking the scope boundary to internal technical support workflows.
- Ensuring Asset Owners understand their responsibilities within the scoped area.
10. Audit and Recalibrate the Scope Periodically
Execute an annual review of the scope to account for organisational growth, acquisitions, or technical shifts: ISO 27001 requires the scope to remain accurate as the business evolves. Necessary steps are:
- Conducting a gap analysis whenever new technical infrastructure is deployed.
- Updating the Asset Register to reflect additions to the scoped environment.
- Recertifying the scope statement during the annual internal audit cycle.
Scope FAQ
What is the scope of an ISO 27001 ISMS?
The scope defines the physical, organisational, and technical boundaries of your Information Security Management System (ISMS) to ensure 100% clarity on what assets are protected. Under Clause 4.3, it is a mandatory citable document that identifies the locations, business units, and interfaces included in the certification audit.
Is it possible to exclude certain parts of a business from the ISO 27001 scope?
Yes, organisations can exclude specific departments or geographic locations from the scope, provided the exclusion does not impact the security requirements of customers or the organisation’s legal obligations. Auditors typically look for a clear technical justification for any exclusions to prevent high-risk data sets from being ignored.
What are the mandatory requirements for documenting the ISO 27001 scope?
Under Clause 4.3, the scope must be maintained as “documented information” and must consider internal and external issues, interested party requirements, and technical interfaces. To pass a UKAS audit, the document must explicitly list:
- Organisational Units: Specific departments or subsidiaries included.
- Physical Boundaries: Office locations, data centres, and remote working environments.
- Technical Assets: Specific software, hardware, and network segments covered.
- Exclusions: A formalised list of what is not covered and why.
How does the scope affect the cost of ISO 27001 certification?
The scope size directly dictates the number of audit days required by the certification body; a smaller, focused scope can reduce total certification costs by approximately 40% to 60%. Increasing the scope to cover 100% of an organisation often adds significant complexity and management overhead to the maintenance of technical controls.
Relevant ISO 27001 Controls
| Related ISO 27001 Control / Clause | Relationship Description |
|---|---|
| ISO 27001 Clause 4.3: Determining the Scope of the ISMS | Core Requirement: The mandatory management system requirement that defines the boundaries of the ISMS, including people, processes, technology, and locations. |
| ISO 27001 Clause 4.1: Context of the Organisation | Foundational Input: The internal and external issues identified here are used to determine the boundaries and applicability of the ISMS scope. |
| ISO 27001 Clause 4.2: Interested Parties | Stakeholder Influence: The requirements of relevant interested parties (like customers and regulators) must be considered when defining what is included in the scope. |
| ISO 27001 Clause 5.3: Roles, Responsibilities and Authorities | Operational Definition: Once the scope is defined, clear roles and authorities must be assigned to manage the security of the assets and processes within those boundaries. |
| ISO 27001 Annex A 5.1: Policies for Information Security | Policy Application: Security policies must be specifically written to cover everything defined within the ISMS scope to ensure consistent protection. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
