The Short Answer: Yes, Exclusions Are Allowed, But With Conditions
One of the most common questions I hear from business owners preparing for ISO certification is this: do we have to include everything we do in the scope? The honest answer is no, you do not. But exclusions are not a free pass to carve out the inconvenient parts of your business. They come with rules, and if you get them wrong, your auditor will push back hard.
On this page
Understanding what can and cannot be excluded from your ISO certification scope is one of the most practical decisions you will make during the certification process. Get it right and your certificate accurately reflects your business. Get it wrong and you either end up with a scope so narrow it means nothing to clients, or you claim exclusions that are not actually permitted and face a nonconformance during audit.
This article walks through exactly how scope exclusions work across the main ISO management system standards, what the rules are, and how to make sensible decisions for your own business.
What Is Certification Scope and Why Does It Matter?
Before we get into exclusions, it helps to be clear on what scope actually means. Your certification scope is the formal statement that describes what your management system covers. It defines the boundaries of the system, which locations are included, which products or services are covered, and which parts of the organisation fall within the certified area.
You can read more about how this works technically in our guide to Clause 4.3 on determining the scope of management systems. That article goes into the mechanics of writing a scope statement. This article focuses specifically on what you are allowed to leave out.
The scope matters because it is what appears on your certificate. When a client or procurement team sees your ISO 9001 certificate, the scope statement tells them exactly what has been assessed. A scope that says design, manufacture and distribution of industrial valves tells them something specific. A scope that says provision of services tells them very little. Scope decisions have real commercial consequences.
The Two Types of Exclusions You Need to Understand
There is an important distinction between two very different things that often get confused under the word exclusion.
Excluding Parts of the Organisation From Scope
The first type is a boundary decision. You are choosing which parts of your business, which sites, which functions, or which product and service lines to include in the certification. This is a legitimate business decision and is entirely within your control.
For example, a company with five business units might choose to certify only two of them initially. A manufacturing business might certify its production facility but exclude a separate retail outlet that operates quite differently. These are scope boundary decisions, not clause exclusions.
The key rule here is that the boundary must not be drawn in a way that misleads clients. If you only certify one small part of your business but present your certificate to clients as though the whole company is covered, that is a misrepresentation. Your ability to limit the scope of your ISO 9001 certification is real, but it comes with an obligation to be honest about what is and is not included.
Excluding Specific Clauses or Requirements From the Standard
The second type is more technical. Some ISO standards allow you to formally exclude specific requirements or clauses from your management system where those requirements genuinely do not apply to your organisation. This is what most people mean when they talk about ISO scope exclusions.
This is where the rules get specific, and where many businesses make mistakes.
ISO 9001 Clause Exclusions: What the Standard Actually Allows
ISO 9001:2015 is the standard where clause exclusions are most commonly discussed. The standard addresses this directly in Clause 4.3, which states that an organisation may determine that a requirement is not applicable if it does not affect the organisation's ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction.
In plain terms, you can only exclude a requirement if two conditions are met. First, the requirement genuinely does not apply to what you do. Second, excluding it does not undermine the integrity of the quality management system or your ability to deliver conforming products and services.
The Most Common Legitimate Exclusion: Design and Development
By far the most frequently claimed exclusion under ISO 9001 is Clause 8.3, which covers design and development of products and services. Many businesses do not design anything. They manufacture to customer specifications, distribute products designed by others, or deliver services based on established methods defined by the client.
If your business genuinely has no design function, excluding Clause 8.3 is entirely appropriate. A contract manufacturer who receives engineering drawings from clients and simply produces to those drawings has no design activity to manage. The exclusion is justified.
However, if your business does any customisation, any adaptation of existing designs, or any development of new service offerings, you cannot claim this exclusion. I have seen businesses try to exclude design and development when they clearly do product adaptation work. Auditors will probe this, and they will find it.
What You Cannot Exclude
Not every clause is available for exclusion. The ISO 9001 standard is quite clear that certain requirements apply universally. You cannot exclude clauses simply because they are difficult to implement or because you have not done the work yet.
Clauses related to leadership, planning, support, performance evaluation, and improvement are not available for exclusion. These are core structural requirements of the management system. If you try to exclude them, your certification body will reject the claim outright.
The ISO 9001:2015 standard published by ISO.org makes clear that any claimed exclusion must be justified and documented, and the organisation must still demonstrate that it meets the intent of the standard within its defined scope.
How Other ISO Standards Handle Exclusions
ISO 9001 gets the most attention on this topic, but other management system standards have their own positions on exclusions. They are not all the same.
ISO 14001 Environmental Management
ISO 14001:2015 does not contain the same explicit exclusion mechanism that ISO 9001 does. The standard expects you to define your scope and then apply all requirements within that scope. You cannot simply exclude clauses you find inconvenient.
What you can do is define your scope boundaries carefully. If a particular site or activity is genuinely outside the boundary of your environmental management system, it does not need to be covered. But once something is inside your scope, all requirements apply.
ISO 45001 Occupational Health and Safety
ISO 45001:2018 takes a similar approach to ISO 14001. The standard does not provide a formal clause exclusion mechanism. Scope boundaries are legitimate, but within those boundaries, full compliance is expected.
This makes sense given the nature of the standard. Excluding health and safety requirements from parts of your operations that you have chosen to include within scope would be a serious integrity issue. Auditors and accreditation bodies would not accept it.
ISO 27001 Information Security
ISO 27001 has its own approach. The standard requires you to implement a set of information security controls, but it explicitly acknowledges that not every control will be relevant to every organisation. Annex A of ISO 27001 contains a reference set of controls, and organisations are required to produce a Statement of Applicability that documents which controls apply, which do not, and the justification for any that are excluded.
This is a more structured approach to exclusions than ISO 9001 uses. The Statement of Applicability is a key document that auditors examine closely. Excluding a control requires a documented, justified reason. Simply saying a control is too difficult or too expensive is not acceptable.
The Rules for Justifying an Exclusion
Whether you are working with ISO 9001, ISO 27001, or another standard, the principle is consistent. Exclusions must be justified, documented, and defensible. Here is what that means in practice.
The Exclusion Must Be Genuinely Not Applicable
This is the most important test. The requirement must genuinely not apply to your organisation, your products or services, or your processes. It is not enough that you have not implemented the requirement yet. It is not enough that it would be costly or inconvenient. The activity or function covered by the requirement must simply not exist in your operation.
The Exclusion Must Not Affect Conformity
Even if a requirement does not directly apply, you need to be confident that excluding it does not affect your ability to deliver conforming products or services. If there is any doubt, the safer approach is to include the requirement and implement it in a proportionate way.
The Exclusion Must Be Documented
You need to document your exclusions in your management system documentation, typically in your scope statement or your quality manual if you have one. You need to state what is excluded and why. Vague justifications will not satisfy an auditor. Be specific and factual.
The Exclusion Must Be Disclosed to Your Certification Body
Your certification body needs to know about any claimed exclusions before they conduct their audit. They will review the justification and either accept it or challenge it. Do not try to slip exclusions past your auditor. If they find an unjustified exclusion during audit, it will result in a nonconformance.
Common Mistakes Businesses Make With Exclusions
Having audited and consulted on ISO certifications for many years, I have seen the same mistakes come up repeatedly. Here are the ones worth knowing about before you finalise your scope decisions.
Excluding Requirements to Avoid Difficult Work
This is the most common mistake. A business realises that implementing a particular requirement will take significant effort, so they decide to exclude it rather than do the work. This approach will not survive audit scrutiny. Auditors are trained to probe exclusion justifications, and we do not currently do this is very different from this requirement is not applicable to our business.
Excluding Sites or Functions That Are Commercially Relevant
Some businesses exclude sites or functions from scope to reduce audit costs, then present their certificate to clients as though the whole business is covered. This is a misrepresentation that can damage client relationships and, in serious cases, could have legal implications. If you are updating your ISO 9001 scope as your business grows, make sure your certificate reflects reality at all times.
Assuming Exclusions Carry Over Between Standards
Just because you can exclude design and development under ISO 9001 does not mean the same logic applies to other standards you might certify to. Each standard has its own rules. If you are pursuing an integrated management system covering ISO 9001, ISO 14001, and ISO 45001 together, you need to assess exclusions separately for each standard.
Not Reviewing Exclusions When the Business Changes
A business might legitimately exclude design and development at the time of initial certification because they genuinely do no design work. But if the business later takes on design projects, that exclusion is no longer valid and must be removed. Failing to update your scope and exclusions when the business changes is a common finding during surveillance audits.
How to Document Exclusions Properly
Documentation does not need to be complicated, but it does need to be clear and specific. Your scope statement should identify any excluded clauses or requirements and include a brief but factual explanation of why each exclusion is justified.
A well-written exclusion statement looks something like this:
Clause 8.3 Design and Development is excluded from the scope of this quality management system. The organisation manufactures products exclusively to customer-supplied specifications and engineering drawings. No design or development activity is performed by the organisation.
That is clear, factual, and directly tied to the nature of the business. Compare that to a vague statement like design is not applicable, which gives an auditor nothing to work with and will prompt further questioning.
If you are unsure how to structure your documentation, this is one area where working with an experienced ISO consultant pays off. A consultant who understands your industry and the standard can help you identify legitimate exclusions and document them in a way that will hold up under audit scrutiny. If you are looking for help, selecting the right ISO consultant is worth taking seriously before you start.
Practical Advice for Scope Decisions Before Certification
Here is the practical approach I recommend when businesses are working through their scope and exclusion decisions before pursuing certification.
Start by mapping your actual business activities against the requirements of the standard. Go through each clause and ask honestly whether the activity it covers exists in your organisation. Do not start from the position of what can we exclude. Start from the position of what do we actually do.
For any requirement where the activity does not exist, document the reason clearly and check it against the standard's own guidance on exclusions. Then discuss your proposed exclusions with your certification body before the audit. Most certification bodies are happy to review scope and exclusion decisions during the application process, and it is far better to resolve disagreements before the audit than during it.
Also consider the commercial impact. Your scope statement appears on your certificate and is visible to clients. A very narrow scope with multiple exclusions might technically be compliant, but it might also raise questions from sophisticated procurement teams who know what the standard requires. Think about what your clients actually need to see.
