Defining Scopes

    What is the scope of your management system?

    The scope of your management system describes what exactly falls under your system. It is like the framework within which your system operates. It tells:

    ✔️ which processes,
    ✔️ which products and services,
    ✔️ which locations or departments,
    ✔️ and possibly which excluded components

    fall under your management system. The scope shows where the system applies and what it achieves.

    📍 Why is a clear scope important?

    A clear scope helps to:

    • show what your system controls

    • plan and conduct audits effectively

    • provide clarity to external parties (customers, certification bodies)

    • prevent things from accidentally falling outside the system

    🛠️ How do you determine a good scope?

    ✅ 1. First, think about what you do

    Start by describing:

    • what your organization does

    • which products and services you provide

    • at which locations this occurs

    Consider what you are responsible for and what you want to improve with your management system.

    👉 Don't just think about physical places — digital activities or services also fall under your scope if they are important for your work.

    ✅ 2. Look at your internal and external context

    ISO 9001 requires you to look at:

    • internal factors — such as your processes, structure, employees

    • external factors — such as laws and regulations, customer desires, market conditions

    Both influence which components you need to include in your scope.

    ✅ 3. Determine which ISO requirements are applicable or not

    ISO 9001 discusses what is applicable to your organization.
    That means:

    ✔️ most requirements are generally applicable
    ❌ some components may be not relevant

    For example: an organization that does not design products may find design activities not relevant. But then you must clearly explain why that is not applicable.

    ✅ 4. Write your scope in one clear sentence

    A good scope is:

    ✏️ short and concrete
    ✏️ not vague or too broad
    ✏️ describes processes, services, or products precisely enough
    ✏️ and mentions locations

    Example:

    “Information security related to the design and delivery of ICT services for business customers, carried out at the headquarters in the UK and via external workplaces.”

    ✅ 5. Ensure your scope aligns with what you actually do

    Your scope must match the reality:

    ✅ the processes you claim fall under your system
    ✅ the services you provide
    ❌ must not mention things you do not do

    this prevents confusion for auditors and customers.

    👍 6. Be honest about what you do not do

    If you consciously exclude certain activities from your scope, make sure you:

    ✔️ clearly explain why they are not applicable
    ✔️ show that this does not compromise quality or customer satisfaction

    ISO standards accept that some components are not relevant, as long as you can justify it.

    🔁 7. Keep your scope up to date

    Your scope is not fixed forever.
    It must be updated if:

    • your organization changes

    • your processes change

    • you add new locations or services

    For example: if you start selling online from home, that changes what falls under your system.

    📌 In summary — checklist for a good scope

    ✔️ Describe what your organization does
    ✔️ Name processes, products, services, and locations
    ✔️ Look at internal and external factors
    ✔️ Determine which ISO requirements are applicable
    ✔️ Write the scope clearly and concretely
    ✔️ Indicate what is not applicable with explanation
    ✔️ Update the scope when necessary