Can You Limit the Scope of Your ISO 9001 Certification?

The Short Answer Is Yes, But There Are Rules

Yes, you can limit the scope of your ISO 9001 certification. This is one of the most practical and underused options available to businesses going through the certification process. Instead of certifying your entire organisation, you can define a specific boundary around the parts of your business that will fall under the quality management system. That boundary is your certification scope.

But here is where businesses often get into trouble. Limiting scope is not the same as cherry picking only the easy parts of your business to avoid scrutiny. ISO 9001 has clear rules about what can and cannot be excluded, and your certification body will hold you to them. If you try to carve out parts of your operation that are genuinely central to delivering your product or service, you will get pushback during the audit, and rightly so.

This article walks you through exactly how scope works under ISO 9001, what you can legitimately exclude, how to write a scope statement that holds up under audit, and the common mistakes businesses make when trying to limit their scope. If you are just starting out, it also helps to read our first-time ISO certification guide for broader context on how the certification process works.

What Is the ISO 9001 Certification Scope?

The scope of your ISO 9001 certification defines what is included in your quality management system. It tells auditors, customers, and anyone looking at your certificate exactly which parts of your organisation, which locations, which products or services, and which processes are covered by the certification.

Under Clause 4.3 of ISO 9001, you are required to determine the boundaries and applicability of your quality management system. This is not optional. Every certified organisation must have a defined scope, and that scope must be documented and available to interested parties.

Your scope statement will appear on your ISO 9001 certificate. Customers who ask to see your certificate will read it. Procurement teams assessing your tender submissions will check it. So it needs to be accurate, honest, and specific enough to be meaningful.

What Goes Into a Scope Statement?

A well-written scope statement typically covers three things. First, it identifies what the organisation does, meaning the products or services it provides. Second, it identifies where those activities happen, covering sites and locations. Third, it notes any exclusions from the requirements of the standard, along with the justification for those exclusions.

Here is a simple example. A manufacturing company that makes industrial valves at a single site in Melbourne might write a scope like this:

Design, manufacture and supply of industrial valves for the oil and gas sector, conducted at our facility in Dandenong, Victoria.

What Can You Legitimately Exclude From ISO 9001?

This is the part that confuses most people. ISO 9001 allows you to exclude certain requirements of the standard, but only if those requirements genuinely do not apply to your organisation or your products and services. The standard is explicit that exclusions cannot affect your ability or responsibility to ensure the conformity of your products and services and the enhancement of customer satisfaction.

In practical terms, the most common legitimate exclusion is design and development, which sits under Clause 8.3 of the standard. If your business does not design products or services, if you manufacture to customer drawings or follow a prescribed specification without any design input, then you can exclude this clause. This is very common in contract manufacturing, subcontracting, and certain distribution businesses.

Examples of Legitimate Exclusions

• Design and development (Clause 8.3): A metal fabricator who builds components strictly to customer-supplied engineering drawings has no design function. Excluding this clause is entirely appropriate.
• Customer property (Clause 8.5.3): If your business never handles property owned by customers, this clause does not apply. A software company that develops its own products and never receives customer-supplied materials or equipment would have a legitimate basis for exclusion.
• Post-delivery activities (Clause 8.5.5): If your product or service has no post-delivery obligations, for example a business that sells a product outright with no maintenance, warranty, or support obligations, this clause may not apply.

The key test is always this: does the excluded requirement genuinely not apply to what you do? If the answer is yes, and you can justify it clearly, the exclusion is valid. If you are excluding something just because it is inconvenient or because you do not currently have a process for it, that is not a valid exclusion. That is a gap in your system that needs to be addressed.

Limiting Scope by Site, Division, or Product Line

Beyond clause exclusions, you can also limit your scope geographically or operationally. This is a different kind of scope limitation, and it is extremely useful for larger or more complex organisations.

Multi-Site Organisations

If your company has five locations but only two of them are involved in the product or service you want certified, you can limit the scope to those two sites. The other three sites simply fall outside the boundary of the quality management system. Your certificate will specify the included sites, and the excluded sites will not be audited.

This approach makes a lot of sense when different sites perform fundamentally different functions. A company with a head office, a manufacturing plant, and several retail outlets might choose to certify only the manufacturing plant, because that is the part of the business where quality management is most critical and most relevant to their customers.

Certifying a Single Division or Business Unit

Some businesses operate across multiple industries or service lines. A large engineering firm might have a construction division, a consulting division, and a training division. If only the construction division is seeking ISO 9001 certification, perhaps because that is the division tendering for government work, they can limit the scope to that division alone.

If you are pursuing certification to win government contracts, it is worth understanding what ISO certification is actually required for government tenders, because the scope requirements can vary depending on the contract type and the procuring agency.

Certifying a Single Product Line

Similarly, if you manufacture multiple product categories but only one of them is relevant to a particular market or customer requirement, you can limit your scope to that product line. A food manufacturer that produces both packaged snacks and industrial ingredients might certify only the packaged snack line if that is where their quality-sensitive customers sit.

What You Cannot Exclude

This is where businesses sometimes get into trouble, particularly when they are trying to minimise the effort involved in certification. There are some things you simply cannot exclude from your ISO 9001 scope, no matter how inconvenient they are.

You cannot exclude any process that is central to delivering your certified product or service. If you are certifying your manufacturing operation, you cannot exclude the production floor from the quality management system because it is messy or complicated. If you are certifying your IT services business, you cannot exclude the service delivery team because they are difficult to document.

You also cannot exclude support functions that directly affect product or service quality. Human resources processes that affect competency, procurement processes that affect the quality of inputs, and maintenance processes that affect equipment reliability are all examples of support functions that feed directly into product quality. Excluding them would undermine the integrity of the system.

Certification bodies are trained to spot scope gaming. If your defined scope looks suspiciously narrow compared to what your business actually does, your auditor will ask questions. They may expand the scope of their audit to satisfy themselves that the boundary is legitimate. If they find that excluded areas are actually central to your certified activities, they can raise a nonconformity or, in serious cases, refuse to issue the certificate.

How to Write a Scope That Holds Up Under Audit

Writing a good scope statement is a skill. It needs to be specific enough to be meaningful, but not so narrow that it misrepresents what your business does. Here are some practical guidelines.

Be Specific About What You Do

Vague scope statements cause problems. A scope that says

provision of engineering services

design, installation and commissioning of electrical control systems for the mining industry, conducted at our Brisbane office and client sites across Queensland

Name Your Sites and Locations

If your certified activities happen at specific locations, name them in your scope. This prevents ambiguity about what is and is not covered. If you add a new site later that falls within the scope of your quality management system, you will need to notify your certification body and potentially have the site added to your certificate.

State Exclusions Clearly and Justify Them

If you are excluding any clauses of the standard, state them explicitly in your scope documentation and provide a clear justification. Do not just write

Clause 8.3 is excluded.

Clause 8.3 Design and Development is excluded because the organisation manufactures products solely to customer-supplied specifications and drawings, and does not undertake any design activities.

Practical Scenarios Where Limiting Scope Makes Sense

Let me give you a few real-world scenarios where limiting scope is not just acceptable but genuinely the right approach.

The Startup Seeking Its First Contract

A small IT services company with 12 staff is bidding on a government contract that requires ISO 9001 certification. The company also does some ad hoc consulting work on the side, but that work is informal and represents less than 5 percent of revenue. Certifying only the IT services delivery function makes complete sense. The consulting work is genuinely peripheral and does not affect the quality of the certified service.

The Manufacturer With an Unrelated Retail Arm

A manufacturer of safety equipment also runs a small retail store selling branded merchandise. The retail operation has nothing to do with manufacturing quality and is not relevant to the customers who care about ISO 9001 certification. Limiting the scope to the manufacturing operation is entirely appropriate.

The Distributor Who Does Not Design Products

A medical device distributor sources products from overseas manufacturers and sells them into the Australian market. They do not design, manufacture, or modify any products. Excluding Clause 8.3 is straightforward and legitimate. Their quality management system focuses on procurement, storage, distribution, and customer service instead. For distributors managing quality systems without dedicated quality staff, the challenges are real, and our guide on ISO 9001 maintenance without a quality manager covers this kind of situation in detail.

The Risks of Getting Scope Wrong

Scope errors cut both ways. You can make your scope too broad, which means you are committing to manage and audit more than you need to. Or you can make it too narrow, which can mislead customers and create problems during audits.

A scope that is too broad will increase your audit time, your certification costs, and the ongoing maintenance burden of your quality management system. You will be documenting and auditing processes that do not add value to your certification objectives. This is a waste of time and money.

A scope that is too narrow, or one that excludes things it should not, creates a different problem. If a customer discovers that the part of your business they are dealing with is not actually covered by your ISO 9001 certificate, you have a credibility problem. Worse, if your certification body discovers during a surveillance audit that your scope no longer accurately reflects your business, they can suspend or withdraw your certificate.

Getting scope right from the beginning saves you significant pain down the track. This is one area where working with an experienced consultant pays for itself. Understanding the hidden costs of ISO certification includes recognising that a poorly defined scope can lead to expensive rework, additional audit days, and scope amendments that cost both time and money.

Can You Change Your Scope After Certification?

Yes, you can change your scope after you are certified, but it is not a trivial exercise. Any significant change to your scope needs to be agreed with your certification body. Depending on the nature of the change, they may require a specific audit or assessment to validate the new scope before they update your certificate.

Adding a new site, a new product line, or a new service category to your scope will almost certainly trigger an additional audit of the new area. Removing something from your scope, perhaps because you have exited a particular market or discontinued a product line, is generally simpler but still needs to be documented and communicated to your certification body.

The ISO 9001:2015 standard itself requires that the scope be available and maintained as documented information, which means it is a living document that should be reviewed regularly, particularly when your business changes.

Getting Help With Scope Definition

Defining your scope correctly is one of the most important decisions you will make in the ISO 9001 certification process. It shapes everything that follows, from how your quality management system is designed, to how long your audit takes, to what appears on your certificate.

If you are unsure where to draw the boundary, or if you want to know whether a particular exclusion is legitimate for your business, this is exactly the kind of question a good ISO consultant can answer quickly. They have seen enough scopes across enough industries to tell you immediately whether your proposed boundary will hold up under audit or whether you are heading for problems.

At CertBetter, we connect businesses with verified ISO consultants and accredited certification bodies who can help you get your scope right from day one. You submit one form, and you receive up to three competing quotes from vetted providers. It is free for businesses, and it takes the guesswork out of finding someone you can actually trust. Whether you are defining your first scope or reconsidering the boundaries of an existing certificate, getting a few expert opinions side by side is the smartest way to make the decision.