What is ISMS Scope?

ISMS scope defines the boundaries of your Information Security Management System -- which parts of the organization, locations, people, processes, systems, and information the ISO/IEC 27001 ISMS covers. ISO 27001 (clause 4.3) requires the scope to be documented, and it is what an accredited certificate ultimately states you are certified for.

Scope answers "what exactly is certified?" It is set in clause 4.3 by considering the organization's context, the needs of interested parties, and the interfaces and dependencies with activities performed by other parties. A scope can be the whole company or a defined subset, such as a single product line, business unit, or data center.

For example, a SaaS company might scope its ISMS to "the development, hosting, and support of the [Product] platform and its supporting corporate functions," deliberately drawing a clear line around what is and is not included. Scope directly shapes which risks you assess, which Annex A controls apply, and what the certificate will say -- so a scope that is too narrow can disappoint customers, while one that is too broad can slow you down.

A scope statement template plus the supporting context and interested-parties documents give you a defensible starting structure you can tailor quickly. The documentation accelerates getting audit-ready, but the scope must honestly reflect your real operations; the certificate itself is issued only after an accredited body audits the ISMS within that scope.

Related terms: Information Security Management System (ISMS) · Risk Assessment · Statement of Applicability (SoA) · Gap Analysis

Frequently asked questions

Does ISO 27001 have to cover my whole company?
No. The scope can be the entire organization or a defined subset, such as one product, team, or location. The certificate states the exact scope, so it should match what your customers expect to be covered.
Where is ISMS scope defined in ISO 27001?
Clause 4.3 of ISO/IEC 27001 requires you to determine and document the scope, taking into account the organization's context (clause 4.1) and the requirements of interested parties (clause 4.2).
Can I expand the scope later?
Yes. Many organizations start with a focused scope and broaden it at a later surveillance or recertification audit. Scope changes are reviewed by your certification body and reflected on an updated certificate.

Toolkits that cover ISMS Scope

ISO/IEC 27001:2022

ISO 27001 Policy Pack — Core

16 editable ISO/IEC 27001:2022 policies plus the full 93-control Statement of Applicability — everything a small business needs to start its ISMS.

$5930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Toolkit for SaaS Companies

17 editable ISO/IEC 27001:2022 policies written natively for cloud-native SaaS — including a Customer Data Isolation & Multi-Tenancy Security Policy — plus a SaaS-specific risk register and the 93-control Statement of Applicability.

$6930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.