Scoping is one of the nine keys to project success. It is key, both because you need to know the boundaries of what you are planning to implement, and because the standard itself requires it.

Clause 4.2.1.b of ISO 27001 sets out clearly the components of the ISMS policy. The policy must be approved by the board. Its scope (see 4.2.1.a), and the policy itself, must take into account the characteristics of the business, its organization, location, assets and technology. The policy must include a framework for setting policy objectives and establish the overall sense of direction. It must take into account all relevant business, legal, regulatory and contractual security requirements. It must establish the strategic context (for ...