Skip to content

ISMS ISO 27001Scope🔗

The Scope defines which part of your organisation is covered by the ISO 27001 certification.
Typically, the entire company is not certified; instead, the focus is on, for example, the IT department or a defined set of services.

Only objects that you assign to a scope will appear in:

  • SOA (Statement of Applicability),
  • Protection-need assessment,
  • Risk management, and
  • Audits

for that scope.

Examples of scopes🔗

Typical scopes in an ISMS context:

  • "Security 2025 – central IT platform"
  • "ISO 27001 – data centre operations site X"
  • "Customer portal & back-end systems"
  • "Managed services for customer Y"

In the description you can document, for example:

  • organisational units,
  • locations,
  • services / products,
  • relevant interfaces with other areas.

Creating a new scope🔗

  1. Open the ISMS ISO 27001 module.
  2. Switch to the Scope tile.
  3. Click "Create scope" (plus icon or three-dot menu).
  4. Enter:
  5. Name (e.g. "ISO 27001 – core IT services"),
  6. Description (boundaries, contents, locations),
  7. optionally a formal boundary (e.g. by organisational unit),
  8. if applicable, metadata such as validity period or certificate term.

Scopes are cross-module objects: you can reuse the same scope later in other modules (e.g. BCM or NIS 2) where it makes sense.

Adding processes and assets to the scope🔗

The scope works like a shopping basket: you place all the objects you want to consider for ISO 27001 into it.

Objects that can be linked:

  • Processes
  • Infrastructure
  • Hardware
  • Software / Applications
  • Service providers
  • Data / information assets
  • Personnel

Procedure (example: infrastructure):

  1. Open the scope.
  2. Navigate to the Infrastructure section.
  3. Click "Connect infrastructure".
  4. The selection list shows all infrastructure objects that are not yet linked to this scope.
  5. Select one or more objects and confirm the connection.

The same logic applies to hardware, software, service providers, data, processes, and personnel.

Multi-select

In the selection dialog you can select multiple entries and connect them in one step – this saves a lot of time, especially with larger scopes.

Leveraging dependencies🔗

If you have already maintained dependencies in the Inventory area, for example:

  • which processes use which assets,
  • which input/output assets are connected to a system,

you will benefit when defining the scope and later in protection-need assessments and risk management:

  • You can identify which assets are critical for an ISO scope.
  • You can detect single points of failure.
  • In the protection-need assessment, protection needs can be inherited along these dependencies.

Reusing a scope in other modules🔗

A scope that has been created can be used across multiple modules:

  • ISMS ISO 27001 (this module),
  • BCM (e.g. "Security 2025" as a BCM scope),
  • IT-Grundschutz,
  • NIS 2.

This means you do not have to start from scratch in every module but can reuse the same boundary – with module-specific views (e.g. ISO SOA vs. BCM BIA).

Effects of a scope🔗

Once you have defined and populated a scope:

  • the SOA filters only the controls, documents, and measures relevant to that scope,
  • protection-need assessments and risk analyses clearly relate to the selected scope,
  • you can plan and evaluate audits on a per-scope basis.

If you change the scope (e.g. new systems, additional processes), you should check whether:

  • the SOA needs to be updated,
  • new protection-need assessments are required,
  • additional risks need to be assessed.