What are "Scope" and "Statement of Applicability" (SoA) in the context of ISO 27001 certification?
The Scope defines what part of the organization the ISMS covers, and the SoA lists which ISO 27002 controls apply — together they define the certification boundary.
Scope — the area the ISMS applies to:
- Entire company
- A single department
- A specific location
- Part of the infrastructure (e.g., the DMZ)
Statement of Applicability (SoA) — lists which controls from ISO 27002 the ISMS addresses, with justification for any exclusions.
Why this matters: A company with an ISO 27001 certificate might only have certified a small part of its operations. Always check the scope! A certificate for "the DMZ" doesn't mean the entire organization meets the standard.
Tip: Think of it like this — Scope = "where does the ISMS apply?", SoA = "what controls does it include?"