Can I exclude part of my business from my ISO certification scope?

Yes, you can exclude parts of your business from scope, but the exclusion must be justified and documented. You cannot exclude activities simply because they are difficult to manage or poorly performing. For ISO 9001, certain Clause 8 requirements can be excluded where they genuinely do not apply to your products or services, but you must explain why in your scope statement. Excluding core delivery processes that affect customer requirements is generally not acceptable and will be challenged by your certification body during audit.

Does my ISO scope need to cover all my locations?

No, your ISO scope does not need to cover every location your business operates from, but any location included in scope must have the management system fully implemented and will be subject to audit. If you have branch offices or project sites that are not covered by your management system, they should be excluded from scope. However, if those locations perform activities that are central to your products or services, excluding them may undermine the commercial value of your certificate.

How specific does my scope statement need to be?

Your scope statement needs to be specific enough that an informed reader, such as a procurement officer or auditor, can clearly understand what is and is not covered by your certificate. Vague statements like “provision of services” are generally not acceptable. A good scope statement identifies the types of products or services, the relevant customer sectors or applications where appropriate, the key activities covered such as design, manufacture, or delivery, and the locations from which those activities are performed.

What happens if my scope changes after I get certified?

If your scope changes significantly after certification, you are required to notify your certification body. Depending on the nature of the change, this may trigger an unscheduled audit or a scope extension audit. Adding new services, opening new locations, or making significant changes to your operating model are all changes that need to be assessed. Failing to update your scope when your business changes can put your certification at risk and create problems when clients or regulators discover the discrepancy.

Does the scope statement on my certificate have to match exactly what I submitted?

Your certification body will draft the scope statement that appears on your certificate based on their assessment of your management system during audit. The wording on the certificate may differ slightly from your internal scope document, but it should accurately reflect what was assessed and found to conform. Review the draft certificate carefully before it is issued. If the scope statement does not accurately reflect your operations or is worded in a way that could mislead clients, raise it with your certification body before the certificate is finalised.

Can I have different scopes for different ISO standards?

Yes, and this is actually quite common. A business might certify its entire operation to ISO 9001 for quality management but limit its ISO 27001 information security scope to its IT systems and data handling processes. Each standard has its own scope statement, and they do not need to be identical. If you are pursuing an integrated management system covering multiple standards, it is worth thinking carefully about whether a consistent scope across all standards makes sense for your business or whether different boundaries are more appropriate.

How to Define the Scope of Your ISO Certification

Why Getting Your Scope Right Matters More Than You Think

Defining the scope of your ISO certification is one of the most consequential decisions you will make in the entire certification process. Get it right and your certificate accurately reflects what your business does, your audits run smoothly, and your clients trust what they see on paper. Get it wrong and you are either paying to certify activities that add no value, or worse, you are presenting a certificate to clients that does not actually cover the work you do for them.

On this page

I have seen both problems play out in real businesses. A construction company that certified its head office operations but excluded its project sites. A software firm that included its sales team in scope but had no quality processes to show for it. These are not edge cases. Scope errors are one of the most common issues I encounter during Stage 1 readiness audits, and they almost always trace back to a decision made at the very beginning of the project.

This article walks you through exactly how to define your ISO certification scope, what the standard actually requires, the practical decisions you need to make, and the mistakes that trip businesses up. Whether you are pursuing ISO 9001 for quality management, ISO 14001 for environmental management, ISO 27001 for information security, or any other management system standard, the principles here apply across the board.

What Is the Scope of an ISO Certification?

The scope of your ISO certification is a formal statement that describes what is covered by your management system and the resulting certificate. It tells auditors, clients, and regulators exactly which parts of your organisation, which products or services, which locations, and which processes are included in your certified system.

Your scope statement will appear on your ISO certificate itself. When a procurement officer or tender evaluator asks to see your certificate, the scope is what they read to determine whether your certification is relevant to the work you are doing for them. A vague or inaccurate scope statement can cause a perfectly valid certificate to be rejected.

Under ISO management system standards, the scope requirement sits within Clause 4.3, which covers the determination of the scope of the management system. As explained in our guide to Clause 4.3 determining scope of management systems, the standard requires you to consider the external and internal issues identified in Clause 4.1, the requirements of interested parties identified in Clause 4.2, and the products and services of the organisation.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

The Four Elements You Must Address in Your Scope

A well-constructed scope statement addresses four core elements. These are not arbitrary categories. They directly reflect what auditors look for and what certification bodies need to issue a certificate.

1. Products and Services

What does your organisation actually produce or deliver? Be specific here. “Engineering services” is too broad if you only do civil engineering design. “Civil engineering design services for infrastructure projects” is far more useful. The scope should reflect what you actually do, not what you could theoretically do.

If your business provides multiple distinct services, you need to decide whether all of them fall within the management system or just some. A company that provides both IT consulting and hardware resale might choose to certify only the consulting side if that is where the client demand for ISO 9001 sits. That is a legitimate decision, but it must be documented and defensible.

2. Locations

Where does your organisation operate? If you have a single office, this is straightforward. If you have multiple sites, warehouses, project locations, or remote workers, you need to think carefully about which locations are in scope.

Multi-site businesses often make the mistake of including all locations in the scope statement without ensuring each location actually has the systems and processes in place to meet the standard. Auditors will visit or remotely assess sites included in scope. If a branch office is listed but has no documented procedures and staff cannot explain the quality policy, that is a nonconformance waiting to happen.

3. Applicable Processes

Which business processes are covered by the management system? For most businesses, this means the core delivery processes that directly affect the quality, safety, environmental impact, or security of your products and services. It also includes supporting processes like procurement, training, and maintenance where they influence the outcome.

You do not need to include every single process in your business. A manufacturing company pursuing ISO 9001 might reasonably exclude its payroll processing from scope. However, you cannot exclude a process simply because it is difficult to manage or currently not performing well. The standard is clear that you cannot exclude processes in a way that affects your ability to meet customer requirements.

4. Exclusions and Boundaries

Some standards allow you to exclude certain clauses or requirements where they genuinely do not apply to your business. ISO 9001 permits exclusions under Clause 8 where requirements are not applicable due to the nature of the organisation or its products and services. However, these exclusions must be justified. You cannot exclude design and development simply because you find it inconvenient if your business actually performs design activities.

Boundaries also matter. If your parent company handles procurement centrally and you have no influence over supplier selection, you need to document that boundary clearly and explain how you manage the interface between your certified scope and the activities outside it.

How to Actually Define Your Scope: A Practical Process

Knowing what elements to include is one thing. Actually sitting down and working through the definition process is another. Here is a practical approach that works for most businesses.

Step 1: Map Your Business Activities

Start by listing everything your organisation does. Products manufactured, services delivered, locations operated, customers served. Do not filter anything at this stage. You want a complete picture before you start making decisions about what to include or exclude.

Talk to your operations manager, your sales team, and your delivery staff. The people doing the work often have a clearer picture of what actually happens in the business than the people writing the documents. This exercise also helps you identify processes you may have overlooked.

Step 2: Understand What Your Clients and Stakeholders Expect

Your clients have requirements. Your regulators have requirements. Your certification body has requirements. Before you finalise your scope, you need to understand what these stakeholders actually need from your certificate.

If you are pursuing ISO 9001 because a major client requires it for a specific contract, find out exactly what that client expects the certificate to cover. If the contract relates to your manufacturing operations, certifying only your head office administration will not satisfy the requirement. This is a common and costly mistake.

The needs and expectations of interested parties exercise under Clause 4.2 feeds directly into your scope decision. Do not treat these as separate activities.

Step 3: Consider Your Context

Your scope must be consistent with the context of your organisation. If your business operates in a heavily regulated industry, your scope needs to reflect the regulatory environment. If you are a small business with five employees, your scope should be proportionate to your size and complexity.

The context of your organisation analysis helps you identify internal and external factors that influence what your management system needs to cover. A business operating across multiple jurisdictions with different legal requirements will have a more complex scope than a single-site local business.

Step 4: Draft the Scope Statement

Now write it down. A good scope statement is clear, specific, and honest. It should be short enough to appear on a certificate without confusion but detailed enough to tell an informed reader exactly what is covered.

Here is an example of a poor scope statement: “Provision of services.”

Here is a better one: “Design, development, and delivery of custom software solutions for the financial services sector, including post-deployment support, from our offices in Sydney and Melbourne.”

The second version tells you what the business does, who it does it for, what the full service cycle includes, and where it operates. That is what a good scope statement looks like.

Step 5: Validate the Scope With Your Certification Body

Before you commit to a scope, discuss it with your certification body. They will review your scope during the Stage 1 audit and flag any concerns. Getting their input early can save you from having to revise your scope statement mid-certification, which can delay your timeline and add cost.

Your certification body will also use your scope to determine the number of audit days required. A broader scope generally means more audit days and higher certification costs. This is another reason to be deliberate rather than defaulting to the broadest possible scope.

Common Scope Mistakes and How to Avoid Them

Having reviewed hundreds of scope statements over the years, certain mistakes come up again and again. Here are the ones most likely to cause problems.

Scope That Is Too Broad

Some businesses try to include everything in their scope to make their certificate look more impressive. The problem is that every activity included in scope must be covered by the management system and will be subject to audit scrutiny. If you include activities you have not actually built systems around, you will generate nonconformances.

A broader scope also increases your audit days and ongoing surveillance costs. There is no benefit to including activities in scope that your clients do not care about and that add no value to your certification.

Scope That Is Too Narrow

The opposite problem is equally dangerous. If your scope is so narrow that it does not cover the activities your clients expect to see certified, your certificate becomes commercially useless. A manufacturer that certifies only its warehouse operations but not its production line will struggle to satisfy customer quality requirements.

Artificially narrow scopes can also raise integrity questions. If an auditor or client discovers that significant business activities are excluded from scope without good reason, it undermines confidence in the entire certificate. You can read more about this issue in our article on whether you can limit the scope of your ISO 9001 certification.

Scope That Does Not Match Reality

This is the most serious problem. A scope statement that describes activities the business does not actually perform, or locations that are not genuinely covered by the management system, is misleading and will be identified during audit. Auditors are trained to test whether the scope reflects reality by interviewing staff, reviewing records, and observing operations.

If your scope says you provide services from three locations but one of those locations has no documented procedures, no trained staff, and no records, you have a problem that goes beyond a simple nonconformance.

Forgetting to Update the Scope as the Business Changes

Your scope is not a one-time decision. As your business grows, adds services, opens new locations, or changes its operating model, your scope needs to be reviewed and updated. A scope that was accurate three years ago may no longer reflect what your business does today.

Most certification bodies require you to notify them of significant changes to your scope between audits. Failing to do so can put your certification at risk and create problems when clients or auditors discover the discrepancy. Our article on how to update your ISO 9001 scope when your business grows covers this process in detail.

Scope Across Different ISO Standards

The principles above apply broadly, but different standards have specific considerations worth noting.

ISO 9001 Quality Management

For ISO 9001, the scope needs to cover all products and services that are subject to customer requirements and quality objectives. The standard explicitly allows exclusions of certain Clause 8 requirements where they are not applicable, but these must be justified in the scope statement. Design and development is the most commonly excluded requirement, but only where the business genuinely does not perform these activities.

ISO 27001 Information Security

For ISO 27001, the scope definition is particularly critical because it determines which information assets, systems, and processes are covered by your Information Security Management System. The ISO 27001 standard requires you to define the scope considering interfaces and dependencies between activities performed by the organisation and those performed by other organisations. A software company certifying its cloud platform needs to think carefully about where its system boundaries sit and how third-party services interact with those boundaries.

ISO 14001 Environmental Management

For ISO 14001, the scope must address the physical boundaries of your operations and the environmental aspects associated with them. A manufacturing business needs to consider not just its production processes but also its waste management, energy use, and the environmental impacts of activities at each site included in scope.

ISO 45001 Occupational Health and Safety

For ISO 45001, the scope needs to cover all workers under the organisation's control, including contractors and visitors where relevant. A construction company needs to think carefully about whether its project sites are in scope and how it manages the health and safety of workers who move between sites.

How Your Scope Affects Certification Costs and Timelines

Your scope has a direct financial impact on your certification project. Certification bodies use your scope to calculate the number of audit days required, which is the primary driver of certification fees. The IAF Mandatory Document MD 1 provides guidance on audit time calculation and is used by accredited certification bodies to determine audit duration based on factors including the number of employees, number of sites, and complexity of processes within scope.

A well-defined, appropriately sized scope can reduce your audit days and therefore your certification costs without compromising the integrity of your certificate. This is not about gaming the system. It is about being precise and honest about what your business actually does and what your clients actually need to see certified.

Timeline is also affected. A complex multi-site scope with multiple service lines will take longer to implement and audit than a focused single-site scope. If you are working to a deadline, such as a tender requirement, keeping your scope focused on what matters most can help you achieve certification faster.

Getting Help With Scope Definition

Defining your scope is not something you need to figure out alone. An experienced ISO consultant who knows your industry can help you think through the right boundaries, draft a scope statement that will satisfy your certification body, and avoid the common mistakes that delay certification or generate nonconformances.

The challenge is finding a consultant who will give you honest, practical advice rather than simply telling you what you want to hear. If a consultant recommends an unnecessarily broad scope without explaining the cost implications, or pushes you toward a narrow scope to reduce their own workload, that is a red flag.

If you are looking for verified ISO consultants who can help you define your scope and guide you through the full certification process, CertBetter connects Australian businesses with vetted consultants and accredited certification bodies. Submit one form and receive up to three competing quotes. The service is completely free for businesses seeking certification help.