Determining the Scope of the Business Continuity Management System Under ISO 22301
ISO 22301 Clause 4.3
This sub-clause requires the organisation to determine and document the boundaries and applicability of the BCMS - which sites, products and services are covered.
ISO 22301 Clause 4.3 - Determining the Scope of the Business Continuity Management System
Clause 4.3 is where the abstract becomes concrete. Clause 4.1 looked at context, Clause 4.2 looked at parties; Clause 4.3 takes those inputs and turns them into a clear statement of what the BCMS actually covers - which sites, which functions, which products and services are inside the boundary. Scope decisions made here drive everything that follows.
What ISO 22301 Clause 4.3 Requires
The clause requires the organisation to determine the boundaries and applicability of the BCMS, taking into account the external and internal issues identified at Clause 4.1, the requirements identified at Clause 4.2, and the organisation's mission, goals, and internal and external obligations. The scope must be available as documented information.
The organisation must also establish which parts of the organisation are included in the BCMS, accounting for location or locations, size, nature and complexity, and identify the products and services that are to be included. Where any clauses are excluded, the exclusions must be documented and justified, and the exclusions must not affect the organisation's ability or responsibility to provide products and services that meet customer and applicable legal and regulatory requirements.
Writing a BCMS Scope Statement
A useful BCMS scope statement is short, specific and unambiguous. It should answer four questions: which legal entity is in scope, which sites or locations, which products or services, and which interested parties' requirements are being addressed. A statement that says "all activities of the organisation" tells nobody anything and tends to fall apart at audit when an excluded function turns up in the BIA.
For ISO 22301, scope decisions are particularly important because they drive the business impact analysis. If the manufacturing arm is in scope but the distribution arm is not, the BIA must justify why distribution disruption is not material to the in-scope products and services. That kind of joined-up thinking is what auditors look for.
The scope statement is one place I always recommend keeping in the IMS manual rather than scattered across multiple documents. It is the reference point everyone comes back to. Have it written out clearly, dated, owned by top management, and make sure the BIA, the risk register and the BC plan all line up with it.
I read the scope statement on the first morning of every audit. If it says the BCMS covers UK operations but I find that critical IT support is delivered from an offshore team that is not mentioned anywhere, I have to raise that. Excluded activities are fine if they are deliberate and justified. Activities that are silently outside scope are a problem.
Practical Compliance Guidance
The IMS1 Integrated Management System Manual provides a dedicated section for the scope statement, with worked examples. The scope is recorded once, in the manual, and referenced from other BCMS documents rather than duplicated.
The documents below support the definition and recording of BCMS scope.
| alphaZ document | How to use it |
|---|---|
| ISO 22301 Toolkit | The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard. |
| IMS1 - ISO 22301 Manual | The integrated management system manual that holds the BCMS scope statement and the supporting context information. |
Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.
