Skip to main content
CENEDRIL MANUAL
Open Cenedril
ISMS Assistant · Scope

Define the scope

Updated on 3 min Pro plan Open in Cenedril

Goal Determine which entities, locations, departments and interfaces your ISMS covers, justify exclusions, and generate a documented scope statement from them.

In the ISMS Assistant you define the scope under ISMS Assistant → Organizational context and scope → Defining the Scope of your ISMS. You decide which entities, locations and departments the ISMS covers, justify every exclusion, capture the interfaces to third parties, and generate a complete scope statement with one click. This document is the foundation for everything that follows: risk analysis, controls and certification all build directly on it.

Set the scope boundaries

Open the scope page

Open the ISMS Assistant and follow the Organizational context and scope chapter to its final page, Defining the Scope of your ISMS. The page turns the abstract work of the previous pages into a concrete, documented scope.

The “Defining the Scope of your ISMS” page with the scope boundaries, requirements, interfaces and scope statement sections.

Pick entities, locations and departments

In the Scope Boundaries section, all Legal entities / companies, Offices & locations and Departments from the organization profile are in scope by default. Uncheck any item you want to exclude.

Justify the exclusions

As soon as you uncheck an item, a reason field appears. Enter why the item sits outside the scope. This reason later appears as a documented exclusion in the scope statement and has to hold up to an auditor.

Unchecking an item reveals an exclusion reason field, for example “Production-only site with no access to in-scope IT systems”.

Capture interfaces and requirements

Review the requirements

The Requirements section shows the prioritized Must and Should requirements from the MoSCoW prioritization. They act as scope drivers and flow automatically into the scope statement. Check that the list is complete.

Select interfaces and dependencies

Open the Interfaces & Dependencies section. Check every external interface, such as Cloud Service Providers or IT Outsourcing / Managed Services. Use Add custom interface for your own entries. Each interface can be linked to specific assets from the register, so it is clear what crosses that boundary.

The expanded “Interfaces & Dependencies” section with the predefined interface types and the option to link assets.

Generate and approve the scope statement

Generate the document

In the ISMS Scope Statement area, click Generate Document. Cenedril builds a complete, personalized statement with your organization name, the entities and locations, the exclusion reasons, the interfaces, the Must and Should requirements, and the matching norm citations.

Review and adjust the content

Read the generated document carefully and add detail where needed. The template is a strong starting point, yet your own wording should still show through, especially for roles, responsibilities and company-specific limitations.

Save and submit for approval

Save the page via Save, or first via Save as Draft. In the document editor, click Mark as Complete so that the scope statement appears under Documentation → Policies & Procedures, where it can be submitted to top management for approval, with documented approval status and versioning.

Result: the scope is defined, every exclusion is justified, the interfaces are captured, and the scope statement exists as a generated document ready for top management sign-off. The foundation for the risk work is now in place.

Frequently asked questions

Which items are in scope by default?

Every entity, location and department from your organization profile is included in scope to begin with. You deliberately remove individual items by unchecking them. Cenedril then asks for a reason, which later appears as a documented exclusion in the scope statement.

What counts as an interface under ISO 27001 Clause 4.3?

An interface is a point where your ISMS hands responsibility to another organization, that is, a data, process or trust boundary. A cloud provider storing customer data belongs here. A full supplier list does not. For each entry, ask: does any information relevant to you flow into or out of that organization?

Do I have to write a reason for every exclusion?

Yes. As soon as you uncheck an item, a reason field appears. The reason has to hold up to an auditor asking why exactly this is not included. Concrete reasons such as “Production-only site with no access to in-scope IT systems” hold up under review. Vague phrases like “not relevant” rarely survive an audit.

How do I get sign-off on the scope?

Mark the scope statement as “Complete” in the document editor. It then appears under Documentation → Policies & Procedures, where it can be submitted to top management for approval, with approval status and versioning.

Can I widen the scope later?

Yes. A narrow scope can be widened at any time. That is far easier than trimming an over-broad scope after the fact, because risk analysis, controls and evidence already depend on it.

Information Security Assistant

Risikoidentifikation & -bewertung

So beurteilen Sie im ISMS-Assistenten Ihre Informationssicherheitsrisiken: von den Risikoszenarien über Schadensausmass und Eintrittswahrscheinlichkeit bis zur priorisierten Risikoliste.