In the context of an Information Security Management System (ISMS), scope defines the boundaries and applicability of the management system—specifying which processes, locations, departments, systems and information assets are covered. Setting the scope is one of the first steps in ISO 27001 implementation and directly influences which controls from Annex A must be considered in the Statement of Applicability.
A well-defined scope ensures that the ISMS is focused and manageable, whilst still covering all areas where information security risks could affect the organisation. Scope that is too narrow may leave critical assets unprotected, whilst scope that is overly broad can make the management system impractical. The scope statement must be documented and made available to interested parties, including certification auditors.