Key Takeaways
  • Scope defines what is included in your QMS and what the ISO 9001 certificate covers -- it appears on the certificate itself.
  • You cannot exclude core requirements (Clauses 4-6, 7.1-7.5, 8.1, 9-10) under any circumstances.
  • Outsourced processes must still be controlled within your QMS even if performed externally.
  • Multi-site scoping follows IAF MD 1 rules and requires a central management function.
  • An overly narrow scope can undermine certification credibility and fail to meet customer expectations.

Why Scope Matters

The scope of your ISO 9001 certification defines the boundaries of your Quality Management System: what products and services are covered, which sites are included, and what processes fall within the certified system. Getting the scope right is one of the most consequential decisions in the certification journey.

A well-defined scope:

  • Gives customers confidence: The scope statement on your certificate tells customers exactly what is covered by the certification. A meaningful scope builds trust; a vague or narrow scope raises questions.
  • Drives certification credibility: Auditors and accreditation bodies scrutinize scope definitions. An inappropriate scope can delay or prevent certification.
  • Manages implementation effort: The scope determines which processes must be documented, managed, and audited. Overextending the scope increases cost and complexity.
  • Supports tender qualification: Many procurement requirements specify that the ISO 9001 certificate must cover the specific products or services being tendered. A misaligned scope means the certificate is not useful.
Scope and Credibility

The scope statement appears on your ISO 9001 certificate and is publicly verifiable. Customers, auditors, and regulators will read it. A scope that appears to exclude difficult areas or that does not align with the organization's core activities will undermine confidence rather than build it.

Defining Your Scope

ISO 9001:2015 Clause 4.3 requires organizations to determine the boundaries and applicability of the QMS to establish its scope. The scope must consider:

  • The external and internal issues identified in Clause 4.1
  • The requirements of relevant interested parties identified in Clause 4.2
  • The products and services of the organization

The scope must state the types of products and services covered and provide justification for any requirement of the standard that the organization determines is not applicable. Importantly, the organization can only determine that a requirement is not applicable if its non-application does not affect the ability or responsibility to ensure conformity of products and services and customer satisfaction.

Scope Definition Process

  1. List all products and services: Start with a complete inventory of what the organization delivers
  2. Identify which products/services are in scope: Based on customer requirements, market needs, and business strategy
  3. Identify all sites and locations: Where design, production, storage, delivery, and support activities occur
  4. Map the processes: Identify the core, support, and management processes needed to deliver the in-scope products/services
  5. Identify outsourced processes: Determine which processes are performed by external providers but are needed for product/service conformity
  6. Determine applicability of requirements: Review each ISO 9001 clause to determine if it applies
  7. Draft the scope statement: Write a clear, concise statement that would be meaningful on the certificate

Products and Services

The scope must clearly identify the types of products and services covered. This is typically the most prominent element of the scope statement on the certificate.

Products vs Services

Consideration Products Services
Definition Tangible outputs of a process (manufactured goods, assembled items) Intangible outputs delivered through activities (consulting, support, maintenance)
Scope Description Specify product types or categories (e.g., "precision machined components") Describe service types (e.g., "IT managed services and cloud hosting")
Design Applicability Clause 8.3 applies if the organization designs products Clause 8.3 applies if the organization designs service delivery methods
Typical Evidence Production records, inspection reports, test results Service delivery records, SLAs, customer feedback

Scope Granularity

  • Too broad: "Engineering services" -- does not tell the customer what specific services are certified
  • Appropriate: "Design, manufacture, and installation of industrial control systems for process automation" -- specific and meaningful
  • Too narrow: "Manufacture of Model XYZ-100 controllers" -- overly restrictive, excludes future products

Sites and Locations

For organizations operating from multiple locations, the scope must address which sites are included and how multi-site management is handled.

Single-Site Certification

The simplest case: one location where all QMS activities occur. The scope identifies this location, and all audit activities take place there.

Multi-Site Certification

When the organization has multiple sites performing similar activities under a centralized QMS, multi-site certification may apply. Requirements include:

  • Central function: A central office or headquarters that plans, controls, and manages QMS activities across sites
  • Common processes: Sites must operate under the same QMS with common procedures and policies
  • Internal audit coverage: The central function must audit all sites within the internal audit program
  • Management review: A central management review must cover all sites
  • Sampling: The CB uses a sampling methodology (based on IAF MD 1) to select sites for audit -- not all sites are audited at every visit

Remote Workers and Temporary Sites

  • Remote workers: If staff work from home or remote locations and perform QMS-relevant activities, these arrangements should be addressed in the scope and controlled through documented processes
  • Project sites: Construction companies, consultancies, and similar organizations that work at customer sites should describe this in their scope (e.g., "including project sites")
  • Temporary locations: Pop-up operations, seasonal sites, or temporary warehouses may need to be included if they handle in-scope products/services

Permissible Exclusions

ISO 9001:2015 allows organizations to determine that certain requirements of the standard are not applicable to their QMS scope. However, the rules governing exclusions are strict.

The Applicability Rule

Under Clause 4.3, an organization may only determine that a requirement is not applicable when:

  • The non-application does not affect the organization's ability to ensure conformity of its products and services
  • The non-application does not affect the organization's responsibility to enhance customer satisfaction
Common Permissible Exclusion

The most common exclusion is Clause 8.3 (Design and Development). This is permissible when the organization manufactures or delivers products/services to customer-provided designs or specifications and does not perform any design activity. For example, a contract manufacturer that produces components to customer drawings may exclude design and development.

What Cannot Be Excluded

The following clauses and requirements cannot be excluded under any circumstances:

  • Clauses 4-7 and 9-10: Context, leadership, planning, support, performance evaluation, and improvement are always applicable
  • Clause 8.1: Operational planning and control
  • Clause 8.2: Requirements for products and services (customer communication, requirement determination, review)
  • Clause 8.4: Control of externally provided processes, products, and services (if external providers are used)
  • Clause 8.5: Production and service provision
  • Clause 8.6: Release of products and services
  • Clause 8.7: Control of nonconforming outputs

Exclusion Documentation

Any exclusion must be:

  • Identified in the QMS scope documentation
  • Justified with a clear rationale explaining why the requirement is not applicable
  • Reviewed by the certification body during audit
  • Noted on the certificate or its associated scope documentation

Outsourced Processes

Outsourced processes that affect conformity of products and services must be controlled within the QMS, even though they are performed by an external provider (Clause 8.4).

Identifying Outsourced Processes

  • Manufacturing subcontracting: Components manufactured by suppliers to your specifications
  • Calibration services: Measurement equipment calibration performed externally
  • Testing and inspection: Product testing conducted by third-party laboratories
  • Design services: Engineering or design work performed by external consultants
  • Logistics and delivery: Distribution and shipping handled by third parties
  • IT services: Managed IT, hosting, or software development performed externally

Control Requirements

For outsourced processes within scope, the organization must:

  • Define the type and extent of control applied to the external provider
  • Ensure externally provided products/services conform to requirements
  • Evaluate, select, and monitor external provider performance
  • Communicate requirements to external providers
  • Retain documented information of evaluation and monitoring results

Outsourcing a process does not outsource responsibility. If an outsourced process affects product or service quality, it must be controlled within your QMS regardless of who performs it.

Scope Statement Examples

The following examples illustrate well-written scope statements for different types of organizations:

Manufacturing Company

"Design, manufacture, testing, and supply of hydraulic cylinders and pneumatic actuators for industrial applications. Operations at [Address]."

SaaS Company

"Development, operation, and support of cloud-based project management software delivered as a service. Including product development, customer onboarding, technical support, and infrastructure management at [Address]."

Management Consulting Firm

"Provision of management consulting services in the areas of organizational transformation, process improvement, and change management. Services delivered from [Address] and at client sites."

Construction Company

"Management and execution of commercial and residential building construction projects, including project planning, site supervision, quality control, and handover. Operations from [Head Office Address] including project sites."

Logistics Provider

"Warehousing, inventory management, order fulfillment, and distribution of consumer goods. Operations at [Warehouse Address 1] and [Warehouse Address 2]."

Common Scoping Mistakes

These mistakes frequently cause problems during certification audits or reduce the value of the certificate:

1. Excluding Difficult Areas

Some organizations attempt to exclude processes that are difficult to control or document. Auditors will challenge exclusions that appear to be motivated by convenience rather than genuine non-applicability. If a process affects product/service quality, it must be in scope.

2. Overly Narrow Scope

Defining a scope that covers only a small part of the organization's activities can make the certificate less useful for customers. If the certificate covers "widget assembly" but the customer buys "widgets including design, assembly, and after-sales support," the certificate misses the mark.

3. Ignoring Outsourced Processes

Failing to identify and include control of outsourced processes is a frequent audit finding. If a supplier manufactures a key component, calibrates your equipment, or tests your products, those processes need to be addressed in the QMS.

4. Scope Misalignment with Customer Expectations

The scope should cover what customers expect it to cover. If customers engage you for end-to-end service delivery but your scope only covers one element, the certification loses its commercial purpose.

5. Not Updating Scope as the Business Changes

Organizations add new products, services, sites, and capabilities over time. The QMS scope should be reviewed and updated to reflect these changes. A certificate with an outdated scope does not represent the current organization.

6. Ambiguous Scope Language

Vague scope statements like "provision of services" or "manufacturing activities" do not tell anyone what is actually certified. The scope should be specific enough that a reader can understand what products/services and activities are covered without needing additional explanation.

Scope Review Checklist

Before finalizing your scope, verify: (1) it covers all products/services that customers expect to be certified, (2) all sites where in-scope activities occur are included, (3) any exclusions are genuinely justified, (4) outsourced processes are identified and controlled, and (5) the scope statement is clear and specific enough for your certificate.

Frequently Asked Questions

Can I exclude clauses from my ISO 9001 scope?

You can only determine that a requirement is not applicable if its non-application does not affect your ability to ensure conformity of products and services or enhance customer satisfaction. The most common permissible exclusion is Clause 8.3 (Design and Development) for organizations that do not perform any design activity. You cannot exclude clauses for convenience or to avoid difficult areas.

How do I handle remote workers in ISO 9001 scope?

If remote workers perform processes that are part of the QMS, they should be included in the scope. You need to define how QMS controls apply to remote work environments, including document access, communication, competence verification, and information security. The scope statement should reference that services are delivered from the main office and remote locations if applicable.

What is multi-site certification?

Multi-site certification allows a single ISO 9001 certificate to cover multiple locations operating under one centralized QMS. It requires a central function that manages the QMS across all sites, common processes and procedures, centralized internal audit coverage, and a central management review. The certification body uses sampling methodology per IAF MD 1 to select sites for audit.

Does my scope need to match my legal entity?

No. The QMS scope does not need to align with legal entity boundaries. It must clearly describe the activities, products and services, and locations covered. An organization may certify only part of its operations, or a single certificate may cover multiple legal entities if they operate under a unified QMS. However, the scope must be meaningful and not misleading.

What happens if my scope is too narrow?

An overly narrow scope reduces the commercial value of the certificate and may undermine credibility. Customers may require that the certificate covers the specific products or services they purchase. If the scope only covers a fraction of what you deliver, the certificate may not satisfy customer or tender requirements, making it ineffective as a market differentiator.

ISO 9001 Scope Definition Certification