ISO 42001 Scope: How to Define Your AIMS Boundaries Correctly

ISO 42001 scope definition is the single most important decision your organisation makes when implementing an AI management system. The scope statement determines which AI systems, business units, processes, and locations fall within your AIMS boundaries — and therefore which risks, controls, and audit obligations apply to your certification. Get the ISO 42001 scope right and the entire implementation flows logically from it. Define it poorly and you risk either an unmanageable implementation burden or a scope so narrow it fails to satisfy auditor expectations.

According to the official ISO standard publication, scope definition is a Clause 4 requirement — meaning it must be completed before any other implementation activity begins. The scope statement must be documented, formally approved, and available to auditors as part of the mandatory AIMS documentation set. Furthermore, scope boundaries must be clearly justified — auditors will question any scope that appears to exclude significant AI systems or activities without credible reasoning.

This article explains exactly how to define your ISO 42001 scope, what the standard requires a scope statement to contain, how to balance breadth against implementation practicality, and the most common scoping mistakes that delay certification or produce findings during audit.

Tl; DR:

Concern: Poorly defined ISO 42001 scope leads to implementation overload, audit findings, or a certificate that does not cover your most significant AI risks — see how to approach this at our ISO 42001 certification hub.
Overview: ISO 42001 scope defines which AI systems, processes, business units, and locations fall within your AIMS boundaries. It must be documented, justified, and formally approved before implementation begins.
Solution: CertPro CPA LLC helps organisations define defensible, audit-ready AIMS scope statements that balance compliance coverage with implementation practicality.

What Is ISO 42001 Scope and Why Does It Matter?

ISO 42001 scope is the documented definition of the boundaries within which your AI management system operates. It answers four fundamental questions: which AI systems does your AIMS govern, which organisational units and locations are included, which processes and activities fall within scope, and what are the interfaces between your AIMS and the activities that sit outside its boundaries?

Scope matters for three practical reasons. First, it determines the scale of your implementation effort — every AI system and business unit within scope requires risk assessment, control implementation, and documented evidence. Second, it defines what auditors will examine during Stage 1 and Stage 2 certification audits — only activities within scope are subject to audit scrutiny. Third, it shapes what your certificate communicates to customers and regulators — a certificate that excludes your most significant AI systems may not satisfy procurement or regulatory requirements.

Additionally, scope decisions are not permanent. Many organisations start with a focused initial scope — covering only their highest-risk AI systems or primary business unit — and expand scope in subsequent certification cycles as their AIMS matures. This phased approach is entirely legitimate and recognised in the standard. However, the initial scope must still be credible and meaningful rather than designed primarily to minimise implementation effort.

What the ISO 42001 Standard Requires for Scope

Clause 4.3 of ISO/IEC 42001:2023 sets out the specific requirements for AIMS scope definition. The standard requires organisations to determine the boundaries and applicability of the AIMS by considering four key inputs:

• The external and internal issues identified under Clause 4.1 — including regulatory requirements, competitive context, and organisational objectives
• The requirements of interested parties identified under Clause 4.2 — including customers, regulators, employees, and affected communities
• The interfaces and dependencies between your organisation and external parties that are relevant to AI management
• The specific AI systems and activities your organisation develops, provides, or uses

According to BSI’s AI management system guidance, scope statements that clearly document their reasoning — explaining why specific AI systems are included and why others are excluded — consistently receive cleaner Stage 1 audit outcomes than those that simply list included systems without justification.

The scope statement must be maintained as documented information and made available to relevant interested parties. In practice, this means it should be included in your AIMS documentation set, approved at a level consistent with your AI policy, and accessible to auditors and relevant stakeholders.

Key Decisions in Defining Your ISO 42001 Scope

Which AI Systems to Include

The first and most consequential scoping decision is which AI systems to include within your AIMS boundaries. An AI system in the context of ISO 42001 scope is any machine-based system that uses models to generate outputs — predictions, recommendations, decisions, or content — that influence real or virtual environments.

Practically, this definition includes machine learning models, large language models, automated decisioning systems, computer vision systems, natural language processing tools, and AI-powered recommendation engines. It does not include conventional rule-based systems or simple automation that does not involve learning or inference from data.

When deciding which AI systems to include in your initial scope, prioritise based on risk. Systems that make consequential decisions affecting individuals, process sensitive personal data, operate in regulated contexts, or carry reputational risk if they fail should be included before lower-risk internal tools. Our AI risk management guide explains how to assess and prioritise AI system risk systematically.

Which Organisational Units and Locations to Include

Your ISO 42001 scope must specify which business units, departments, and geographic locations fall within AIMS boundaries. This decision determines who needs to be involved in implementation, who requires training and awareness, and which operational processes auditors will examine.

Organisations with AI systems concentrated in a specific business unit — a data science team, a product development group, or a specific technology platform — can often define a focused initial scope around that unit. However, scope must follow the AI systems. If an AI system is developed by one business unit but deployed and operated by another, both units typically need to fall within scope.

For multinational organisations, geographic scope decisions require careful consideration of local regulatory requirements. AI systems operating in the EU may face EU AI Act obligations that affect scope design differently from the same systems operating in markets without equivalent AI regulation.

How to Handle Third-Party AI Systems

Most organisations use at least some third-party AI tools — licensed software, cloud-based AI services, or AI components integrated into broader platforms. Deciding how to handle these within your ISO 42001 scope requires balancing governance accountability with practical control limitations.

Third-party AI systems that your organisation deploys and uses in consequential decisions should generally fall within your AIMS scope — because you are accountable for the governance of how those systems are used, even if you did not build them. The Annex A controls for supplier management and AI procurement address your governance obligations toward those third-party systems. Our Annex A controls breakdown explains what these supplier governance controls require in practice.

What to Explicitly Exclude

Exclusions from your ISO 42001 scope must be documented and justified. Credible exclusion justifications typically fall into one of three categories:

• The excluded AI system genuinely falls outside the definition of an AI system under the standard — for example, simple rule-based automation with no learning or inference capability
• The excluded activity is genuinely outside your organisation’s control — for example, AI systems operated entirely by a parent company or joint venture partner with their own separate AIMS
• The risk profile of the excluded system is genuinely low enough to justify exclusion from the initial scope, with a documented plan to include it in a future scope expansion

How to Write an Effective ISO 42001 Scope Statement

Describe the Organisation and Its AI Context

Start by describing your organisation — its primary activities, the industries it operates in, and its overall AI footprint. This context helps auditors understand the basis for your scope decisions and establishes the organisational backdrop against which the rest of the scope statement is read.

List the AI Systems Within Scope

Name each AI system included in your AIMS scope clearly. For each system, provide a brief description of its purpose, the data it processes, the decisions or outputs it generates, and the business context in which it operates. Where systems are grouped — for example, a family of related models built on a shared platform — describe the grouping and its boundaries.

Define the Organisational Boundaries

Specify which business units, departments, and locations fall within scope. Where scope covers only part of a larger organisation, clearly describe the boundary between in-scope and out-of-scope organisational units. This precision helps auditors understand exactly what they will be examining during Stage 2.

Document Interfaces with Out-of-Scope Activities

Where your in-scope AIMS interacts with out-of-scope activities — for example, where in-scope AI systems process data supplied by out-of-scope business units, or where in-scope AI outputs are consumed by out-of-scope decision processes — document those interfaces clearly. This demonstrates that scope boundaries have been thought through carefully rather than drawn arbitrarily.

Justify Any Significant Exclusions

If any significant AI systems or activities that might be expected to fall within scope have been excluded, explain the justification clearly in the scope statement. Auditors are trained to ask about apparent exclusions — having a well-documented justification in the scope statement prevents unnecessary audit findings.

Common ISO 42001 Scope Mistakes to Avoid

• Scope too broad for available resources — Including every AI system across the entire organisation in the initial scope creates an implementation burden that overwhelms available staff and budget. A focused initial scope is more likely to achieve certification successfully than an over-ambitious one that stalls mid-implementation.
• Scope too narrow to be credible — Excluding your most significant AI systems to minimise implementation effort produces a scope that auditors will question and that may not satisfy customer or regulatory requirements. The scope must be meaningful and defensible, not just convenient.
• Failing to document exclusion justifications — Simply omitting AI systems from scope without explaining why consistently produces Stage 1 audit findings. Every significant exclusion needs a documented rationale in the scope statement.
• Ignoring third-party AI systems — Excluding third-party AI tools your organisation relies on for consequential decisions — without addressing them through supplier governance controls — leaves a governance gap that auditors notice.
• Not aligning scope with the risk assessment — Scope and risk assessment must be consistent. If your risk assessment identifies significant AI systems that are not included in scope, auditors will question why those systems are excluded from AIMS governance.

ISO 42001 Scope vs ISO 27001 Scope: Key Differences

Organisations implementing ISO 42001 alongside an existing ISO 27001 programme often ask how AIMS scope relates to their existing ISMS scope. The two scope definitions address different governance domains and do not need to be identical — but they should be consistent and complementary.

ISO 27001 scope defines the boundaries of your information security management system — typically covering the information assets, systems, and processes where information security controls apply. ISO 42001 scope defines the boundaries of your AI management system — covering the AI systems, lifecycle processes, and organisational units where AI governance controls apply.

In many organisations, there will be significant overlap — AI systems that process information assets also covered by the ISMS. In these cases, integrated scope definitions that reference both standards reduce documentation duplication and simplify governance. Our article on ISO 42001 vs ISO 27001 covers how the two management systems interact and where integration creates the most value.

Expanding Your ISO 42001 Scope Over Time

ISO 42001 scope is not static. As your AIMS matures, your organisation’s AI footprint grows, or regulatory requirements evolve, your scope will need to expand. The standard supports and encourages this kind of continual improvement in governance coverage.

Scope expansions should be planned, documented, and managed through your AIMS change management process. Significant scope expansions — adding new business units, new geographic locations, or significantly different AI system types — may require a scope extension audit from your certification body, or may be addressed during the next scheduled surveillance audit depending on the nature of the change.

Proactively communicating planned scope changes to your certification body — rather than presenting them as a fait accompli during a surveillance audit — is strongly recommended practice. Most certification bodies can provide guidance on whether a proposed scope change triggers an additional audit visit.

For organisations in growth phases, our ISO 42001 certification process guide explains how to plan scope expansion alongside your broader AIMS development roadmap.

Getting Your ISO 42001 Scope Right with CertPro

Scope definition is where CertPro CPA LLC adds significant value for organisations starting their AIMS journey. Our team brings experience across multiple ISO 42001 implementation projects and understands exactly what auditors look for in a scope statement and what questions they ask when scope boundaries appear to have gaps.

We work with your leadership team to map your full AI system inventory, assess risk levels across all systems, and design a scope that is meaningful for compliance purposes while remaining achievable within your available resources and timeline. The result is a scope statement that auditors accept without significant questioning — and an implementation plan built on foundations that hold up through the full three-year certification cycle.

CertPro supports AIMS scope definition projects across India — including Bangalore, Chennai, and Pune — as well as internationally. See our full certification service for details.

Define Your ISO 42001 Scope with Confidence

CertPro CPA LLC helps organisations define defensible, audit-ready AIMS scope statements that set the right foundation for successful ISO 42001 certification. Contact us today to start your scoping conversation.

Get Expert ISO 42001 Scope Support from CertPro →

FAQ