When working toward ISO 27001:2022 certification, one of the first and most important tasks is defining the scope of your information security management system (ISMS). Clause 4.3 of the ISO 27001:2022 standard requires organisations to do this clearly and thoughtfully. In this article, we break down Clause 4.3 in plain English and walk you through how to get it right.

What does clause 4.3 say?

ISO 27001:2022 Clause 4.3 is titled "Determining the scope of the information security management system." It requires your organisation to decide what parts of the business your ISMS will cover. You must write this down in a clear and formal way.

To do this, the standard says you must consider:

• The internal and external issues you identified in Clause 4.1.

• The needs and expectations of interested parties identified in Clause 4.2.

• The interfaces and dependencies between your organisation’s activities and those of others.

Once you’ve done that, you must document the scope so that it’s available to anyone who needs to see it.

Why the scope is so important

Your ISMS scope sets the boundaries for everything that follows. It defines:

• What parts of your organisation are covered by the ISMS.

• What information assets are protected.

• Which locations, departments, systems, and services are included (or not included).

If you don’t define your scope properly, your ISMS could be too wide (making it expensive and difficult to manage), or too narrow (leaving important areas unprotected). Either mistake can cause problems during the certification audit.

Who owns the scope?

Typically, the Information Security Officer or ISMS Lead is responsible for developing and managing the scope. However, they don’t do it alone. You’ll need input and approval from:

• senior leadership,

• heads of department,

• IT and security teams,

• legal, compliance, and risk professionals, and

• clients or other interested parties.

How to define your information security management system scope

Defining the scope properly takes some thought. Here’s a guide you can follow:

1. List what your business does. Start by listing all your organisation’s products and services. Be specific.

   
   

2. Understand what clients expect. Look at contracts, SLAs, and customer expectations. Are there any products or services that absolutely need to be covered by your ISMS?

   
   

3. Ask the leadership team. Speak to senior leaders about their expectations. Which areas do they want to see protected?

   
   

4. Get input from other interested parties. Consult other stakeholders like regulators, partners, or insurers. Their needs matter too.

   
   

5. Decide what’s in and out. Now decide which products, services, locations, and systems are in scope and which are out of scope.

   
   

6. Consider context and risks. Review the internal and external issues you identified earlier (Clause 4.1). Are there any factors that could affect the scope? For example, regulatory requirements, market pressures, or remote workers.

   
   

7. Confirm with leadership. Share your draft scope with senior leadership and get their approval. Make sure everyone is on the same page.

   
   

8. Write the scope statement. Now you can write your formal scope statement. Keep it clear and to the point.Get feedback from your certification body. Share your draft scope with your external auditor or certification body. They may give you suggestions before your audit.

   
   

9. Identify boundaries and interfaces. Map out your people, premises, technologies, and suppliers. Document any links between in-scope and out-of-scope systems. Interfaces matter!

What to include in your scope statement

A good scope statement:

• names the organisation (or part of it) that the ISMS applies to,

• lists the products, services, or processes covered,

• notes the locations involved, and

• refers to the Statement of Applicability for specific controls.

Example

“The scope of this Information Security Management System (ISMS) covers all software development and cloud-hosted services delivered by [Your Company Name] from its London and Manchester offices. The ISMS includes all supporting infrastructure, people, and third-party services as defined in the Statement of Applicability v2.1.”

What auditors look for

When the auditor comes, they’ll want to see:

• a written scope statement,

• evidence that the scope was agreed and approved,

• that the scope considers all relevant issues, stakeholders, and interfaces, and

• that excluded areas do not introduce unacceptable risks.

The auditor will also check that what you say is in scope matches what’s actually in place.

Tips for avoiding common mistakes

1. Don’t go too broad. Trying to include everything can lead to wasted effort.

   
   

2. Don’t go too narrow. Leaving out high-risk areas could backfire.

   
   

3. Don’t forget customers. Their needs might dictate what must be in scope.

   
   

4. Keep documentation clean. Poorly documented scopes can cause audit failures.

   
   

5. Review the scope regularly. Your scope isn’t set in stone. Update it as your organisation changes.

Clause 4.3 checklist

Use this checklist to make sure you’ve properly implemented Clause 4.3:

Organisational boundaries

• Have you identified legal, physical, and functional boundaries of the organisation?

• Have you considered subsidiaries, regional offices, or separate business units?

Products and services

• Have you listed all products and services your organisation provides?

• Have you decided which are in scope and which are out?

Stakeholder input

• Have you consulted key internal stakeholders (leadership, department heads)?

• Have you reviewed client contracts and customer expectations?

• Have you gathered feedback from regulators, insurers, or other interested parties?

Clause 4.1 and 4.2 context

• Have you reviewed internal/external issues that could affect your ISMS scope?

• Have you captured the needs and expectations of interested parties?

Interfaces and dependencies

• Have you mapped out connections between in-scope and out-of-scope systems?

• Have you considered third-party suppliers or outsourced functions?

Exclusions

• Have you identified anything you're explicitly excluding from scope?

• Have you documented why those exclusions do not introduce unacceptable risk?

Documentation

• Have you written a clear, unambiguous scope statement?

• Does it list what’s included (and excluded), by location, service, or department?

• Have you linked it to the current Statement of Applicability?

Approval and review

• Has the scope been formally approved by top management?

• Has it been shared with your certification body for feedback?

• Is there a process for reviewing and updating the scope as needed?

Final thoughts

Clause 4.3 might look simple on paper, but it’s one of the most important parts of your ISMS. It defines your entire approach to information security and determines how your certification will be judged. Take your time, get input from the right people, and document everything clearly.

Thank you

Thanks for reading! If you found this guide helpful, we have written similar plain-English explanations for the other ISO 27001 clauses too.

Want updates when new articles go live? You’ll get practical tips, how-to guides, and ISO advice straight to your inbox. Subscribe.

Read more in the ISO 27001:2022 Explained series: