certification scope

Certification scope commonly refers to the formally defined boundaries of what an external certification or registration covers for an organization. It describes which activities, sites, processes, products, and services are included under a specific standard or scheme (such as ISO 9001, AS9100, or cybersecurity frameworks).

The certification scope is typically documented in the certificate itself and in associated internal records. It is used by customers, regulators, and internal teams to understand where a particular certification applies and where it does not.

What certification scope usually includes

In industrial and regulated manufacturing environments, certification scope commonly defines:

• Organizational boundaries: specific legal entities, sites, plants, or business units included in the certification.
• Activities and processes: types of operations covered, such as design, manufacturing, assembly, test, inspection, repair, or distribution.
• Products and services: product families, component types, systems, or service offerings that fall under the certified system.
• Applicable standards: which standard(s) the scope relates to, for example ISO 9001, AS9100, ISO 27001 or CMMC.
• Limitations and exclusions: processes or functions not covered, such as design-excluded scopes or non-certified sites.

Operationally, the certification scope should be reflected in quality management systems, MES/ERP configurations, document control, and customer-facing information so it is clear which work is performed under which certified environment.

Use in multi-site and integrated operations

In multi-site manufacturers, different plants or business units may have different certification scopes. For example, one site may be certified for AS9100 including design, while another is certified only for production of specific part families. In these cases, organizations typically:

• Map products, programs, and customers to the sites that are within the relevant certification scope.
• Configure routing, work orders, and approved supplier lists so certified and non-certified flows do not get confused.
• Maintain evidence showing that activities claimed as certified actually occur within the defined scope.

Common confusion

• Certification scope vs. process scope: Process scope describes the boundaries of a specific process or procedure (for example, what a work instruction covers). Certification scope is broader and tied to a formal external certification.
• Certification scope vs. organization-wide coverage: A company may be certified only for part of its operations. It is incorrect to assume that a single certification automatically covers every site, product, or service unless the documented scope states this.
• Certification scope vs. regulatory applicability: Certification scope is defined for a standard or scheme and does not, by itself, determine whether a regulation applies. Regulatory scope is set by laws or authorities, even if certification is used as supporting evidence.

Relation to audits and evidence

During external audits, auditors typically verify that the management system and collected evidence match the declared certification scope. Internally, operations, quality, and IT/OT teams often use the scope to decide:

• Which processes must follow certified procedures and controls.
• Which records must be retained as evidence for the certified activities.
• How changes to products, sites, or IT/MES systems affect what is inside or outside the scope.

Clear and maintained certification scope helps prevent incorrect claims about coverage and supports accurate communication to customers and regulators.