# ISMS Scope Statement (ISO 27001 Clause 4.3) > Define and validate the ISMS scope boundaries (physical, organizational, technical) with justified exclusions and no Shadow IT gaps. Includes boundary integrity checker and exclusion logic validator for audit-ready scope statements. Tags: ISO 27001, ISMS, Compliance, Scope, Clause 4.3 ## Example Prompts - Draft an ISMS Scope Statement for Clause 4.3 and justify exclusions - Check our org chart and network map against the declared scope for Shadow IT - Validate that our scope exclusions have rigorous security justifications for audit - Reconcile our department and system lists with the ISMS scope document - Document third-party interfaces that cross the ISMS scope boundary URL: https://rakenne.app/skills/iso27001-isms-scope/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-isms-scope ## Overview Define and validate the ISMS scope boundaries (physical, organizational, technical) with justified exclusions and no Shadow IT gaps. Includes boundary integrity checker and exclusion logic validator for audit-ready scope statements. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ## Example Conversation > **You:** We're preparing for our ISO 27001 surveillance audit. I have a scope document and our org chart and system list. I need to make sure nothing is left out of scope without justification and that exclusions are defensible. > **Agent:** I'll run the boundary integrity checker using your scope document, org chart, and network map. That will flag any department or system that appears in your org/network but isn't in scope or in exclusions — potential Shadow IT or scope gap. Then I'll run the exclusion logic validator to ensure every exclusion has a rigorous security justification, especially for any core business services. > **Agent:** Running `boundary_integrity_checker`... > **Agent:** Boundary Integrity Checker — two findings: [WARNING] Department "Marketing" and system "Legacy CRM" appear in org/network but are not in scope or exclusions. I've added them to the scope document as exclusions with a placeholder justification. Please replace the placeholder with your actual risk assessment or management approval. Running `exclusion_logic_validator` next. > **You:** I've filled in the justification for Marketing and Legacy CRM. Our core business services are in core_services.txt. Run the exclusion validator again. > **Agent:** Running `exclusion_logic_validator` with your scope document and core_services.txt... > **Agent:** Exclusion Logic Validator — RESULT: Exclusions appear to have adequate justifications. No errors; the scope is ready for audit from an exclusion-logic perspective. ## What the Tools Validate The skill includes two extension tools that run against the scope document (JSON with `in_scope` and `exclusions`): **`boundary_integrity_checker`** ensures no departments or systems are left unaddressed (potential Shadow IT): - Accepts the scope document path plus optional paths to an org chart JSON (`departments`) and network map JSON (`systems`) - Compares every department and system in those files to the scope: each must appear either in `in_scope` or in `exclusions` - Reports **WARNING** for each entity that is neither in scope nor excluded — indicating a boundary gap or Shadow IT that auditors may question - Use when drafting or revising the scope and when you have org chart and/or network inventory so the declared boundary matches reality **`exclusion_logic_validator`** ensures exclusions have rigorous security justifications (a common cause of audit failure): - Accepts the scope document path and an optional path to a core business services list (JSON array or one per line) - For each exclusion, checks that the justification is substantive (length and keywords such as risk, assessment, approved, documented, residual risk) - For exclusions that match the core business services list, requires a strong justification; otherwise reports **ERROR** (audit risk) - For other exclusions with weak or missing justification, reports **WARNING** - Use before finalising the scope so every exclusion is defensible to auditors ## Output Excerpt A scope document (JSON) and a short narrative excerpt that the agent can produce and then validate with the tools: **Scope document (excerpt):** ```json { "in_scope": [ "IT Department", "HR Department", "Customer-facing application (App X)", "Data center DC1" ], "exclusions": [ { "item": "Legacy system Y (decommissioning Q3 2026)", "justification": "Excluded per risk assessment 2025-01; residual risk accepted by CISO and documented in risk register. System is network-isolated and scheduled for decommissioning; no handling of in-scope information." } ] } ``` **Scope Statement narrative (excerpt):** ```markdown ## 2. Organizational and technical boundaries The ISMS covers the following organizational units and supporting technology: IT Department, HR Department; systems include the customer-facing application (App X) and the primary data center DC1. Third-party hosting for App X is documented in the interface register (ref. Interface Register v2.1). ## 3. Exclusions and justification The following are explicitly excluded from the scope: - **Legacy system Y (decommissioning Q3 2026):** Excluded per risk assessment 2025-01; residual risk accepted by CISO and documented in risk register. System is network-isolated and scheduled for decommissioning; no handling of in-scope information. All exclusions have been validated for justification adequacy via the exclusion logic validator. Scope and exclusions are reviewed quarterly and after material changes to organization or systems. ``` Run `boundary_integrity_checker` and `exclusion_logic_validator` on the scope document to confirm boundary consistency and defensible exclusions before submission. ## Getting Started Add your source materials (scope document, org chart, network map, and optionally a core business services list) to the project workspace, then activate the *ISMS Scope Statement (ISO 27001 Clause 4.3)* skill. The agent will guide you through defining boundaries, justifying exclusions, and validating with both tools until the scope is audit-ready. --- Back to [Skill Library](https://rakenne.app/skills/index.md)