Information Security Management System Scope

Defining and documenting the scope of an organization’s Information Security Management System (ISMS) is a mandatory requirement under ISO 27001.  It is crucial for senior management to determine and define which information will be protected.  For small to medium sized organizations, it may make sense to include the entire organization in the scope of the ISMS. Although some registrars prefer the entire organization is included in the scope, it is not required. However, any area or department excluded must be justified.  If an organization is limiting the scope to certain areas or departments, it should not be overly complicated. Interested parties as well as employees need to understand clearly what is and what is not covered within the scope of the ISMS. 

The scope should describe what information, processes, services, and functions an organization plans to protect, where they are physically located, and who has access to it.

The Statement of Applicability supports the scope, and auditors often prefer to review both at the same time.


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.

Customer Review:

"I have just passed my Audit with zero non-conformances for the second year in a row using your ISO products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

Buy the Standard

27001 Store Logo  ISO 27001:2022