What Is an ISO 27001 Scope Statement?
The ISMS scope statement defines the boundaries and applicability of your Information Security Management System. It specifies which parts of your organization, which locations, which processes, and which information assets are covered by your ISO 27001 certification.
Clause 4.3 of ISO 27001:2022 requires you to determine the scope of the ISMS by considering:
- External and internal issues (Clause 4.1)
- Requirements of interested parties (Clause 4.2)
- Interfaces and dependencies between activities performed by the organization and those performed by other organizations
Your scope statement is one of the first documents an auditor reviews. If it is unclear, too broad, or excludes critical dependencies, your certification audit will have problems before it even starts.
Why Scope Matters More Than You Think
Cost Impact
Every additional location, department, or system in scope increases:
- The number of controls you need to implement
- The documentation you need to create
- The number of people who need security awareness training
- The duration and cost of your certification audit
A well-defined scope can reduce your certification cost by 40-60% compared to an overly broad scope.
Audit Implications
Auditors will test whether your scope makes sense. Specifically, they will challenge:
- Exclusions: If you exclude a department that processes sensitive data, the auditor will question why
- Boundaries: If your scope says "London office" but your London staff access systems hosted in a data center you excluded, the auditor will flag this
- Interfaces: If you rely on a shared IT team that is out of scope, the auditor will want to understand how you manage that interface
What to Include in Your Scope Statement
1. Organizational Context
Identify the organization or business unit being certified:
- Legal entity name
- Business activities relevant to the ISMS
- Industry and regulatory environment
2. Locations
List every physical and virtual location in scope:
- Office locations
- Data centers (owned or third-party)
- Remote work arrangements
- Cloud infrastructure
3. Processes
Define which business processes are included:
- Core business processes (those that deliver your products/services)
- Supporting processes (HR, finance, IT operations)
- Management processes (governance, risk management, audit)
4. Information Assets
Describe the types of information covered:
- Customer data
- Employee data
- Intellectual property
- Financial records
- System configurations and credentials
5. Technologies
List the key technology platforms and systems:
- Cloud services (AWS, Azure, Google Cloud)
- Business applications (CRM, ERP, email)
- Network infrastructure
- Endpoint devices
6. Exclusions and Justifications
Document anything explicitly excluded and why:
- Departments or business units not in scope
- Legacy systems being decommissioned
- Joint ventures or subsidiaries with separate certification
Every exclusion needs a justification. "We decided not to include it" is not acceptable. Legitimate reasons include: separate legal entity with its own ISMS, system being decommissioned within 6 months, no processing of sensitive information.
Scope Statement Examples
Example 1: SaaS Company
"The scope of the ISMS covers the design, development, deployment, and operation of the [Product Name] SaaS platform, including all supporting processes, infrastructure, and personnel. This includes:
- Locations: Head office at [address]; remote workers in [countries]; AWS eu-west-1 and us-east-1 regions
- Processes: Software development, platform operations, customer support, sales, HR, and finance
- Technologies: AWS infrastructure, GitHub, Jira, Slack, Google Workspace, [Product Name] application
- People: All employees (45 FTE), contractors with system access (8)
Exclusions: Marketing agency [Name] is excluded as they do not access customer data or internal systems. Marketing content is reviewed before publication by in-scope personnel."
Example 2: Professional Services Firm
"The scope of the ISMS covers the delivery of consulting services and the management of client information at [Company Name], including:
- Locations: [City] office at [address]; client sites where consulting engagements are delivered
- Processes: Client engagement delivery, proposal management, knowledge management, HR, IT operations, and finance
- Technologies: Microsoft 365, SharePoint, client VPN connections, company-issued laptops
- People: All employees (120 FTE), subcontractors with access to client data (15)
Exclusions: The [City 2] office is excluded as it operates as a separate legal entity with its own information security program. Interfaces between the two entities are managed through a formal information sharing agreement."
Example 3: Manufacturing Company
"The scope of the ISMS covers the information systems supporting manufacturing operations, supply chain management, and corporate functions at [Company Name], including:
- Locations: Corporate headquarters at [address]; manufacturing facility at [address]; Azure West Europe data center
- Processes: Production planning, supply chain management, quality management, ERP operations, HR, finance, and IT
- Technologies: SAP ERP, MES system, Azure cloud infrastructure, office network, OT/SCADA systems
- People: All corporate and factory staff with access to information systems (350 FTE)
Exclusions: The retail distribution network (12 owned stores) is excluded as stores operate standalone POS systems with no connectivity to corporate information systems. Store data is transferred via encrypted batch upload to the ERP system, which is in scope."
Common Scope Mistakes
Too broad. Scoping your entire global organization when certification is only needed for one product line. Start focused and expand later.
Too narrow. Excluding shared services (IT, HR) that directly support in-scope processes. If your in-scope department uses the company email system, that email system is in scope.
Ignoring cloud. If your data is in AWS, your cloud infrastructure is in scope even though the data center is not yours. You need to demonstrate controls over your cloud configuration.
Forgetting remote workers. Post-pandemic, remote and hybrid workers must be explicitly included in scope if they access in-scope systems and data.
No justification for exclusions. Every exclusion needs a documented rationale that an auditor will accept.
Build Your Scope Statement with a Guided Tool
The ISMS Scope Builder on iso27001kit.com guides you through defining your scope systematically - selecting locations, systems, processes, and legal requirements, and generating a formatted scope statement ready for your ISMS documentation.
Build your scope statement now - free
Found this article helpful?
Share it with your colleagues.
