ISMS scope

ISMS scope is the formally defined boundary within which an Information Security Management System (ISMS) is established, implemented, maintained, and continually improved. It specifies which sites, functions, processes, systems, assets, and information are covered by the ISMS, and which are explicitly out of scope.

In industrial and regulated manufacturing environments, ISMS scope commonly covers some combination of:

• Physical locations such as specific plants, warehouses, laboratories, or corporate offices
• Organizational units such as IT, OT, engineering, quality, or supply chain
• Business processes such as batch manufacturing, release to ship, change control, or vendor management
• Systems and infrastructure such as MES, ERP, SCADA, data historians, networks, and cloud services
• Categories of information such as production data, quality records, technical data, or personal data

Typical contents of an ISMS scope statement

An ISMS scope is usually documented in a short, explicit statement. In manufacturing, it often includes:

• A description of covered sites and legal entities (for example, specific plants rather than the whole enterprise)
• The main processes and services included (for example, GMP production and supporting quality systems)
• The types of information and assets protected (for example, batch records, formulas, machine configurations)
• High-level exclusions and constraints, where certain sites, functions, or systems are out of scope
• Dependencies on shared or corporate services such as networks, identity management, and cloud platforms

The scope is used to decide where risk assessments apply, which controls must be implemented, and which areas are examined during internal and external audits.

Operational relevance in manufacturing

In multi-site or global manufacturing organizations, the ISMS scope can be limited to:

• Selected production plants or regions
• Specific regulated product lines
• Operational technology (OT) environments only, or IT and OT together
• Defined systems such as MES, LIMS, or batch control systems

Even when the scope is narrow, shared infrastructure and cross-site data flows (for example, corporate Active Directory, centralized historians, or cloud analytics) typically must be addressed as dependencies. These dependencies are not always fully in scope, but their interfaces, responsibilities, and controls usually need to be documented to avoid gaps and unclear accountability.

What ISMS scope is not

The ISMS scope is not the same as:

• Asset inventory: The scope defines boundaries and coverage; it does not list every individual asset.
• Risk treatment plan: The scope describes what is covered; it does not specify which controls are chosen for each risk.
• Network segmentation: The scope may align with network zones, but it is a management and audit boundary, not a technical topology by itself.

Common confusion

ISMS scope vs. certification scope: The ISMS scope describes where the management system applies. A certification scope, when present, describes what an external body evaluated. These are often aligned but are not automatically identical.

ISMS scope vs. organizational scope: An ISMS can cover only part of an organization, such as selected plants or functions, even when the overall company is larger. This partial coverage must be made explicit in the documented scope.

Context from regulated manufacturing

In regulated manufacturing, defining ISMS scope often requires careful consideration of:

• Shared IT/OT infrastructure used by both in-scope and out-of-scope plants
• Cross-site data exchange, such as centralized quality systems or global MES instances
• Corporate processes (for example, change management or supplier onboarding) that influence information security at the plants

Clear scope definition, including interfaces to out-of-scope areas, helps avoid control gaps, overlapping responsibilities, and audit findings related to information security governance.