ISO 27001 Scope: How to Define Your ISMS Scope

ISO 27001 Scope

The ISO 27001 scope is the first and most strategically consequential decision in the entire ISMS implementation journey. Every subsequent decision — which controls to implement, how much documentation to build, how many auditor days will be required, and ultimately what the certificate will say to enterprise buyers and regulators — flows from the scope definition made at the very start of the process.

According to ISMS.online, scope definition errors are among the most common sources of mid-engagement rework in ISO 27001 certification projects. The ISO/IEC 27001:2022 standard is explicit about what the scope must address. For context on how the scope connects to the broader ISMS design, see ISO 27001 ISMS. For the complete implementation process from scope to certificate, see how to get ISO 27001 certification.

Tl; DR:

Concern: Organizations frequently define their ISO 27001 scope either too broadly — creating an unmanageable implementation burden — or too narrowly — producing a certificate that does not cover the assets and services their customers and regulators care about. Both errors are costly and avoidable.
Overview: The ISO 27001 scope defines the boundaries of the ISMS — which organizational units, physical locations, information assets, systems, and services fall within the certified perimeter. It must be documented, justified in terms of the organization’s context and risk profile, and consistent with the interfaces between in-scope and out-of-scope elements.
Solution: Organizations that define their ISO 27001 scope systematically — starting from customer requirements and regulatory obligations, mapping their information asset landscape, and calibrating scope boundaries against implementation feasibility — consistently produce scope definitions that are commercially relevant, technically defensible, and operationally manageable. CertPro CPA LLC helps organizations define ISMS scopes that maximize certification value.

What Is the ISO 27001 Scope?

The ISO 27001 scope is the documented statement of the boundaries within which the organization’s ISMS operates. ISO/IEC 27001:2022 Clause 4.3 requires the organization to determine the scope by considering:

  • External and internal issues: The context factors identified in Clause 4.1 — including the organization’s strategic direction, regulatory environment, market position, technological landscape, and internal governance structure
  • Requirements of interested parties: The security requirements of the stakeholders identified in Clause 4.2 — including customers, regulators, investors, employees, and suppliers
  • Interfaces and dependencies: The interactions between activities performed within the ISMS scope and those performed outside it — including third-party services, cloud providers, parent organizations, and other organizational units

The scope must be documented as maintained information — it cannot be held only in the minds of the ISMS team. It must be version-controlled, formally approved, and available for Stage 1 auditor review.

ISO 27001 Scope — The Five Dimensions to Define

Dimension 1 — Organizational Boundaries

Which business units, departments, functions, and legal entities are within the ISMS scope? The organizational boundary must be justified by reference to the information security risk profile. Functions that process, store, or transmit sensitive information assets within the ISMS scope should generally be included.

Dimension 2 — Physical Locations

Which offices, data centres, co-location facilities, cloud environments, and remote working locations are within scope? ISO/IEC 27001:2022 Annex A control 6.7 (Remote Working — new in 2022) specifically requires documented security controls for remote working — meaning remote environments must be addressed if in-scope personnel process sensitive information from home or mobile locations.

Dimension 3 — Information Assets and Systems

Which databases, applications, cloud platforms, infrastructure components, and data repositories are within scope? The information asset dimension should be driven by the risk profile. For guidance on systematically identifying and cataloguing information assets to support scope definition, see how to build an asset inventory for ISO 27001.

Dimension 4 — Services and Products

For service organizations — SaaS platforms, managed service providers, consulting firms, financial services providers — the scope should specify which services or products are covered by the ISMS. Enterprise customers reviewing the certificate need to understand precisely whether the specific service they procure falls within the certified scope boundary.

Dimension 5 — Interfaces and Dependencies

The scope statement must address how the in-scope ISMS boundary interfaces with elements that are outside the scope — including parent organizations, subsidiaries, third-party service providers, cloud platform providers, and other external parties. For more on managing third-party interfaces, see ISO 27001 risk management.

ISO 27001 Scope Statement Examples

Example 1 — Cloud SaaS Company

“The ISMS covers the design, development, operation, and support of the SaaS platform, including the engineering, product management, DevOps, customer success, and information security functions. The scope includes the AWS infrastructure (eu-west-1 and us-east-1 regions) on which the platform is hosted, all customer data processed and stored within the platform, and the business processes through which customer accounts are provisioned, managed, and supported. Physical security of AWS data centre facilities is governed under AWS’s own ISO 27001 certification. Remote working by engineering and operations personnel is governed under the Remote Working Policy. Interfaces with third-party services are governed through contractual security requirements and periodic supplier assessments.”

Example 2 — Professional Services Firm

“The ISMS covers the delivery of professional services to clients, encompassing the relevant practice area teams at the firm’s offices. The scope includes all information systems through which client engagements are managed, documented, and delivered. IT infrastructure management services are provided by a managed service provider under a managed services agreement that includes information security requirements consistent with the ISMS scope.”

Example 3 — Financial Services Organization

“The ISMS covers the product/service line operations, including the technology, operations, compliance, and customer service functions. The scope includes all information systems used in the processing, storage, and transmission of customer financial data. Cloud services used within scope are governed under the Cloud Security Policy and assessed under the Supplier Security Assessment procedure.”

Common ISO 27001 Scope Mistakes to Avoid

  • Defining scope as the entire organization without justification: Must be justified. Organizations that default to full-organization scope without rigorous analysis often create an implementation burden that cannot be sustained through three annual surveillance cycles.
  • Excluding systems that customers explicitly care about: Before finalizing scope, verify the proposed scope covers every system and service that current and target enterprise customers reference in security questionnaires and vendor qualification requirements.
  • Failing to address interfaces with out-of-scope elements: Every significant interface — cloud providers, third-party integrations, parent organization systems, outsourced IT services — must be acknowledged and the boundary security mechanism described.
  • Defining scope inconsistently with the risk assessment: Assets that are within the ISMS scope must appear in the asset inventory and risk register. Discrepancies between scope and risk assessment are a flag for Stage 1 auditors.
  • Not reviewing scope during organizational changes: Embed scope review in the annual management review cycle. When new systems are added, new business units created, or new services launched, the scope must be assessed and updated if necessary.
  • Using vague scope language: Scope statements like ‘all information systems’ or ‘the entire business’ without further specification leave auditors — and customers — unable to determine what the certificate actually covers. Specificity is essential.

For organizations managing ISMS scopes within evolving organizational environments, integrating scope currency review into internal audit procedures ensures scope boundaries remain accurate throughout the certificate cycle. For ISO 27001 policies and procedures that must be consistent with the defined scope, see ISO 27001 policies and procedures.

ISO 27001 Scope and the Statement of Applicability — How They Connect

The ISMS scope and the Statement of Applicability are closely linked. Controls are frequently excluded from the SoA precisely because the assets, activities, or threats they address fall outside the ISMS scope boundary. For example, organizations whose scope covers only cloud-delivered services may legitimately exclude physical security controls (7.1–7.14) with the justification that no physical infrastructure is within scope.

Both documents must be mutually consistent — auditors review them together during Stage 1 to verify alignment. For full SoA guidance, see ISO 27001 Statement of Applicability. For security and compliance credential management, see security and compliance.

Ready to Get ISO 27001 Certified?

CertPro CPA LLC is a licensed CPA firm delivering ISO 27001 certification audits. Work with credentialed auditors who understand your business environment.

Schedule your ISO 27001 certification discussion →

FAQ

What is the ISO 27001 scope?

The ISO 27001 scope is the documented statement of the boundaries within which the organization’s ISMS operates — defining which organizational units, physical locations, information assets, systems, services, and processes fall within the certified perimeter. It is a mandatory requirement under Clause 4.3 of ISO/IEC 27001:2022.

What should an ISO 27001 scope statement include?

An ISO 27001 scope statement should address: the organizational boundaries (which business units and functions), the physical locations (offices, data centres, cloud environments), the information assets and systems protected, the services or products covered by the ISMS, and the interfaces with out-of-scope elements including third-party services and cloud providers.

Can I limit my ISO 27001 scope to one department or product?

Yes — ISO 27001 allows organizations to define a scope that covers a subset of the organization, provided the scope is clearly defined, justified, and that interfaces with out-of-scope elements are adequately addressed. A focused scope can be implemented more efficiently and certified more quickly than a broad organizational scope.

How detailed does the ISO 27001 scope statement need to be?

The scope statement must be specific enough for an auditor — and a prospective customer — to clearly understand what is within the ISMS boundary and what is not. It should specifically name organizational units, physical locations or cloud regions, information systems, and services covered. Vague language like ‘all information systems’ without further specification is insufficient.

How often should the ISO 27001 scope be reviewed?

The ISO 27001 scope should be reviewed at minimum annually during management review, and whenever significant organizational changes occur — new systems, new business units, new services, changes to cloud infrastructure, or changes to the regulatory environment. Scope changes must be documented, approved, and reflected in the SoA and risk assessment.

What happens if your ISO 27001 scope is wrong?

An incorrectly defined scope — either too broad to implement or too narrow to satisfy customer and regulatory requirements — requires remediation that delays certification, increases cost, and may require re-scoping the entire implementation engagement. Investing in scope definition quality at the start of the certification journey is the most effective risk mitigation in the entire process.

Schedule A Meeting