Docs

Appearance

ISO/IEC 27001:2022 scope and certification

ISO/IEC 27001 is a management system standard. Audits focus on whether your ISMS works in practice: governance, risk management, control execution, and continual improvement.

This page is a practical guide to defining scope and preparing for certification-style audits without turning ISO/IEC 27001 into a documentation sprint.

What an ISMS is

An ISMS is the set of policies, processes, controls, and evidence that manages information security risk across an organization.

Define scope you can defend

In ISO work, scoping is not a formality. Your scope determines what auditors will sample, which systems matter, and what evidence you must be able to produce.

Good scopes are:

  • specific (what is included/excluded)
  • operational (who is accountable and what processes apply)
  • reviewable (how scope changes are approved and recorded)

For AI systems, scope often extends beyond the model into the operational environment (infrastructure, vendors, data pipelines, and incident handling).

What auditors typically expect

At a high level:

  • defined scope and asset boundaries
  • risk assessment process and treatment decisions
  • security controls implemented and executed
  • evidence of operation (logs, reviews, training, incident handling)
  • internal audits and management reviews that drive improvement

Annex A is a reference, not a checklist

Audits usually test operation and evidence. Use Annex A to structure controls, but keep selection and exclusions tied to scope and risk.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.