Scope defines the boundaries of the ISMS: which locations, departments, processes, systems, and information are covered by the Information Security Management System. ISO 27001 (clause 4.3) requires a documented scope definition.
The delineation must consider interfaces to areas outside the scope — such as service providers operating within the scope or IT systems that partially lie outside it. A scope that is too narrow may leave critical risks unaddressed. A scope that is too broad increases effort disproportionately. Defining the scope is one of the first and most important decisions when establishing an ISMS.