ISO 27001 scope: what to include and what to leave out

Before you write a single policy, you make one decision that shapes the entire project: what’s in scope. Get it right and the work stays proportionate. Get it wrong and you either over-build or fail to convince anyone.

What “scope” actually means

Your scope defines the boundary of your information security management system — which parts of your business, which services, which locations, and which information the ISMS covers. Everything you do afterwards applies inside that boundary.

Start from what your customers care about

The most useful question is: what are people actually asking us to secure? Usually it’s a specific product or service and the data behind it. That’s your natural starting scope.

A sensible default for SMEs

For most small companies, a clear, defensible scope looks like:

• The service you sell, plus the systems that deliver it
• The data you hold for customers
• The team that builds and runs it
• The cloud infrastructure it runs on

What you can usually leave out (for now)

• Office printers and meeting-room gadgets that touch no customer data
• Side projects and experiments that aren’t customer-facing
• Legacy systems you’re actively retiring

You don’t leave things out to cheat — you leave them out because they’re not relevant to the risks your customers care about. You document why, and that’s a legitimate part of the standard.

A tight, honest scope you can defend beats a sprawling one you can’t.

Don’t paint yourself into a corner

Scope too narrowly and a customer may ask for something just outside it. Scope too broadly and you drown in irrelevant controls. Aim for the smallest boundary that still covers what you’re actually being asked to prove — you can always expand later.

Plain Compliance helps you frame a realistic scope from how your business works, then maps controls inside it. Start your free gap analysis.