ISMS Copilot
ISO 27001 Glossary

What is ISMS Scope in ISO 27001?

Overview

The ISMS Scope defines the boundaries and applicability of your Information Security Management System. Required by ISO 27001:2022 Clause 4.3, it specifies exactly which parts of your organization, which locations, which systems, and which processes are covered by your ISMS—and equally important, what is excluded.

The scope is a foundational document that shapes all subsequent ISMS activities, from risk assessment to control implementation to audit preparation.

ISMS Scope in Practice

Your ISMS scope must be documented and consider:

  • External and internal issues identified in Clause 4.1 (business context, regulations, threats)

  • Requirements of interested parties from Clause 4.2 (customers, regulators, partners)

  • Interfaces and dependencies with other organizational activities

The scope must be available to interested parties and is typically shared with customers, auditors, and certification bodies.

Your scope determines which Annex A controls apply. A broader scope means more assets to protect and more controls to implement; a narrower scope reduces complexity but may limit business value.

Components of ISMS Scope

Organizational Boundaries

Define which business units, departments, or legal entities are included.

Example (full organization): "This ISMS applies to all operations of Acme Corporation, including headquarters, regional offices, and remote workforce."

Example (specific unit): "This ISMS covers the IT Services division of Acme Corporation, excluding manufacturing and retail operations."

Physical Locations

Specify which geographic sites or facilities are covered.

Example: "The ISMS scope includes our primary data center in Frankfurt, Germany; corporate offices in Paris, France; and all remote employee home offices within the EU."

Processes and Activities

Identify which business processes fall under the ISMS.

Example: "The ISMS covers software development, cloud infrastructure operations, customer data processing, technical support, and IT service management. It excludes HR payroll systems managed by a third party."

Information Assets

Define the types of information and systems protected by the ISMS.

Example: "The ISMS protects customer personal data, proprietary source code, financial records, employee information, and all supporting IT infrastructure (networks, servers, databases, SaaS applications)."

Exclusions and Justifications

Clearly state what is NOT included and explain why.

Example: "The ISMS does not cover the manufacturing plant in Shanghai, as it operates under a separate ISO 9001 quality management system with its own information security controls overseen by the local subsidiary."

Exclusions must be justified and cannot compromise your ability to achieve intended ISMS outcomes or meet legal/regulatory obligations. Auditors will scrutinize unjustified exclusions.

Defining Your Scope: Key Considerations

Business Context (Clause 4.1)

Align scope with strategic objectives, risks, and compliance requirements:

  • What are your critical business processes?

  • Which regulatory requirements apply (GDPR, HIPAA, PCI DSS)?

  • What threats and opportunities affect your organization?

Interested Party Requirements (Clause 4.2)

Ensure scope addresses stakeholder needs:

  • Do customers require ISO 27001 certification for specific services?

  • Do contracts mandate security for certain data or systems?

  • Are there legal obligations to protect specific information types?

Risk-Based Approach

Prioritize high-risk areas:

  • Which assets, if compromised, would cause the most harm?

  • Where are your greatest information security vulnerabilities?

  • What processes handle the most sensitive data?

Practicality and Resources

Balance comprehensiveness with implementation feasibility:

  • Do you have resources to implement controls across the entire organization?

  • Is a phased approach more realistic (start with core services, expand later)?

Start with a narrower scope focused on critical systems and high-value processes. You can expand the scope later as your ISMS matures, demonstrating continual improvement.

Common Scope Patterns

Product/Service-Based Scope

"The ISMS applies to the design, development, deployment, and support of our SaaS customer relationship management (CRM) platform."

Best for: Software companies, service providers, specific product lines.

Location-Based Scope

"The ISMS covers all information security activities at our European headquarters and associated cloud infrastructure."

Best for: Organizations with distinct regional operations or compliance boundaries (e.g., GDPR in EU).

Department-Based Scope

"The ISMS applies to the Information Technology department and all systems, networks, and data they manage."

Best for: Organizations starting ISMS implementation or with federated security management.

Whole-Organization Scope

"The ISMS covers all operations, facilities, employees, and information assets of Acme Corporation globally."

Best for: Mature organizations seeking comprehensive security governance or demonstrating enterprise-wide commitment.

Scope Statement Format

While ISO 27001:2022 doesn't mandate a specific format, effective scope statements typically follow this structure:

  1. Introduction: Organization name and purpose of the ISMS

  2. Inclusions: Business units, locations, processes, systems, data types covered

  3. Exclusions: What is not covered and why

  4. Applicability: Who the ISMS applies to (employees, contractors, partners)

  5. Interfaces: Connections to other management systems or external parties

  6. Approval: Authorized by top management with date

Example Scope Statement

"Acme Cloud Services ISMS applies to the design, development, operation, and support of our multi-tenant cloud storage platform, including all associated infrastructure (data centers in Frankfurt and Dublin), personnel (engineering, operations, support teams), and information assets (customer data, platform code, corporate IT systems). The scope includes remote employees globally. Excluded: Third-party payment processing managed by Stripe under their own ISO 27001 certification. This ISMS complies with ISO 27001:2022, GDPR, and SOC 2 Type II requirements."

Use ISMS Copilot to draft an ISMS scope statement tailored to your organization, identify appropriate inclusions and exclusions, or map interested party requirements to scope elements.

Scope Review and Updates

Your scope is not static. Review and update it:

  • During management review (Clause 9.3) at planned intervals

  • When significant changes occur (mergers, new services, regulatory changes)

  • If internal audits or incidents reveal gaps in coverage

  • As part of continual improvement to expand protection

Document scope changes, obtain top management approval, and communicate updates to interested parties.

Scope Impact on Controls

Your scope directly determines:

  • Risk assessment boundaries: Which assets and threats to evaluate (Clause 6.1.2)

  • Applicable controls: Which Annex A controls are relevant (Clause 6.1.3)

  • Statement of Applicability: What to include in the SoA

  • Audit scope: What certification bodies will assess

  • Resource requirements: Budget, personnel, tools needed

Common Mistakes to Avoid

  • Scope too broad for available resources, leading to incomplete implementation

  • Scope too narrow, excluding critical systems or data

  • Vague language that makes boundaries unclear

  • Excluding high-risk areas without valid justification

  • Not aligning scope with customer or regulatory requirements

  • Failing to update scope when business changes

  • Missing approval from top management

Was this helpful?