ISO 27001 Certificate Scope

What it is, what it must include, and audit expectations

This guide explains what the Certification Scope is, what it should include and/or exclude, and how your auditor can help you.

What is a Certificate Scope?

The Certificate scope is the sentence that appears on your ISO 27001 Certificate. It describes what your company does in an accurate, but general way.

It’s not the same as the ISMS Scope (although there will be similarities) - it should be shorter, sharper and more concise!

How to write your Certificate Scope

Pointers on writing your Certificate Scope:

  • Keep the wording limited (15 - 20 words or less, if possible) - think short and sweet!
  • Describe what your company does in an accurate, but general way.
  • The Certificate Scope must co-ordinate with what is being audited. For example, you shouldn’t include a reference to a product/ service, office/ location, or department that was excluded from the scope of the audit.
  • If your company provides a software, as well as a consultancy service, both must be included in the scope.
  • If you are targeting a specific industry, this should be added in as well (e.g. ““Development and operation of XYZ software for [insurance companies]")
  • Don’t add in unnecessary wording (fluff), such as referencing the Statement of Applicability or referencing all the systems and tools that you utilise.
  • If there are any exclusions, you don’t need to expressly state such exclusions in the Certificate Scope; however, the inclusions do need to be referenced (which will tacitly exclude the exclusions). e.g. if you’re excluding some departments but not others, you might list all the departments that are included (which will implicitly exclude the other departments).
  • Remember, the Certificate Scope is not the same as the ISMS scope, but it needs to be connected and the ISMS scope is a helpful starting point!
  • Some examples of commonly used Certificate Scopes:
    • For software services: “Development and operation of XYZ software"
    • For consultancy: “Provision of XYZ consultancy services.”
    • For software services and consultancy: “Development and operation of XYZ software and the provision of adjacent consultancy services.”
    • If targeting a specific industry: “Development and operation of XYZ software for insurance companies"

How Tempo Audits can help you

Your auditor can help you by:

  • Your auditor will review the basic version of the scope that was put in your application form
  • They will then discuss your Certificate Scope with you in your Stage 1 audit, and agree a draft version for the Stage 1 report alongside you
  • There will be room for further iteration on the Certificate Scope at the Stage 2 audit, up until Tempo issues the certificate

Reviews

Trusted by fast-moving tech teams across the world who value a more human audit experience.

We transferred to Tempo from one of the established certification bodies — and we are delighted with the choice. Our audit was one of the smoothest we’ve had in terms of collaboration and engagement.
Laurence, Director of IT & Client Services @ RDT
If Carlsberg did auditors… We use Tempo for our ISO 27001 auditing and I'm thrilled that we were introduced. They ensured that the process dovetailed so smoothly with our ongoing operational activities that the impact was barely noticeable.
Jason, Director of Operations @ The Risk Factor
The Tempo team moved really fast to help us meet our timeframes — it’s rare to have an audit firm move at the speed of a start-up.
Ellie, COO @ Everblue Technology
Alfonso was nothing short of brilliant. Having worked with many auditors over the years, he stood out for his clarity, professionalism, and kindness. He completely changed my view of auditors.
Amardeep, Director @ Blue Edge
Tempo lives up to its name. No other company we contacted was faster or more straightforward during the process.
Lukas, CEO @ Noreja Intelligence
Is it weird to say I had a good time? We had worked with a more traditional auditor, but they didn't understand the needs/tech of our start-up. Tempo knew how to use our ISMS software and understood our business.
Jonny, Head of Engineering @ Nomio

Resources

Audit Timeline

How long does ISO 27001 certification take? Explore audit timelines, preparation requirements, common delays, and certification expectations.

Stage 1 Audit

Understand ISO 27001 Stage 1 audit requirements, checklists, costs, and preparation steps. Learn how to assess ISMS readiness and progress confidently to Stage 2.

Stage 2 Audit

Learn how the ISO 27001 Stage 2 audit works, what evidence is required, common mistakes to avoid, and how to achieve certification.

Internal Audit

ISO 27001 internal audit guide covering Clause 9.2 requirements, audit planning, Annex A controls, checklists, evidence collection, and compliance.

Statement of Applicability

Learn what an ISO 27001 Statement of Applicability (SoA) is, what it must include, common audit expectations, and how to avoid certification delays.

Certification Scope

Learn how to define your ISO 27001 certification scope, what it should include, common mistakes to avoid, and what auditors expect during certification.

Controls

ISO 27001 controls explained: Annex A & the 93 controls (2026 guide)

Audit Preparation

Learn how to prepare for ISO 27001 certification with a practical guide to audit readiness, risk management, internal audits, and UKAS audits.

UKAS Accreditation

A practical guide to UKAS-accredited ISO 27001 certification, including audit stages, accreditation benefits, procurement requirements, and certification verification.

Requirements

Get audit-ready with our guide to ISO 27001 certification requirements, including mandatory clauses, controls, documentation, and certification steps.

Certification Cost

How much does ISO 27001 certification cost in the UK? Learn typical audit fees, pricing by company size, and the factors that influence certification costs.

Risk Assessment

ISO 27001 risk assessment explained. Learn the 5-step process, risk treatment methods, Statement of Applicability, and audit requirements.

ISO 27001 Resources

FAQs

ISO 27001 can feel complicated at first. Here are the answers to the questions we hear most from growing teams.

Significant scope changes must be communicated to your certification body. Depending on the impact, a scope extension audit or reassessment may be required to maintain certification validity. Examples of this include: substantial growth in headcount, new products / services, new locations, new entities or companies within scope.

No. Scope expansion requires a new or extended audit. Transfers are limited to maintaining the same scope or reducing it.

Book a call

No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.

Alternatively, if you have all the details,
fill out this form here.

Latest Articles

June 8, 2026

Case Study: How The Risk Factor achieved ISO 27001 certification in 4 weeks

ISO 27001
May 26, 2026

What Is ISO 27001? A Complete Guide to Information Security Standards

ISO 27001
May 26, 2026

ISO 27001 Benefits for SaaS: Win Clients Faster

ISO 27001
May 26, 2026

ISO 27001 vs. SOC 2: Which Certification is Right for Your Business?

ISO 27001, SOC 2
May 26, 2026

ISO 27001 Audit: What to Expect and How to Prepare

ISO 27001
May 26, 2026

Why ISO 27001 Certification is Important for Small Businesses

ISO 27001
May 26, 2026

ISO 27001 Remote Auditing: The Future Of Information Security Audits

ISO 27001
May 26, 2026

ISO 27001 Accreditation Bodies: A Complete Guide for Tech Companies

ISO 27001
May 26, 2026

How to Get ISO 27001 Certified: A Step-by-Step Guide for 2026

ISO 27001
May 26, 2026

ISO 27001 Stage 1 vs Stage 2: What's the Difference?

ISO 27001