ISO 27001 Certificate Scope

How to write your Certificate Scope

Pointers on writing your Certificate Scope:

• Keep the wording limited (15 - 20 words or less, if possible) - think short and sweet!

• Describe what your company does in an accurate, but general way.

• The Certificate Scope must co-ordinate with what is being audited. For example, you shouldn’t include a reference to a product/ service, office/ location, or department that was excluded from the scope of the audit.

• If your company provides a software, as well as a consultancy service, both must be included in the scope.

• If you are targeting a specific industry, this should be added in as well (e.g. ““Development and operation of XYZ software for [insurance companies]")

• Don’t add in unnecessary wording (fluff), such as referencing the Statement of Applicability or referencing all the systems and tools that you utilise.

• If there are any exclusions, you don’t need to expressly state such exclusions in the Certificate Scope; however, the inclusions do need to be referenced (which will tacitly exclude the exclusions). e.g. if you’re excluding some departments but not others, you might list all the departments that are included (which will implicitly exclude the other departments).

• Remember, the Certificate Scope is not the same as the ISMS scope, but it needs to be connected and the ISMS scope is a helpful starting point!

• Some examples of commonly used Certificate Scopes:

  • For software services: “Development and operation of XYZ software"

  • For consultancy: “Provision of XYZ consultancy services.”

  • For software services and consultancy: “Development and operation of XYZ software and the provision of adjacent consultancy services.”

  • If targeting a specific industry: “Development and operation of XYZ software for insurance companies"