Defining your QMS scope is one of the most consequential decisions you'll make in your ISO 9001 certification journey — and one of the most commonly mishandled. I've worked with 200+ organizations across industries at Certify Consulting, and scope errors are among the top three reasons companies fail their Stage 1 audit or receive major nonconformances.
Get it right and your QMS becomes a precision instrument. Get it wrong and you'll spend months reworking documentation, re-training staff, and explaining to auditors why your system doesn't reflect what your organization actually does.
This guide walks you through everything you need to know to define a defensible, audit-ready ISO 9001 scope — from the standard's requirements in clause 4.3 to practical decisions about sites, products, and exclusions.
What Is a QMS Scope and Why Does It Matter?
Your QMS scope is a formal statement that defines the boundaries and applicability of your Quality Management System. It tells auditors, customers, and stakeholders exactly which products, services, locations, and processes fall under your ISO 9001 certification.
Think of it as a fence line around your quality system. Everything inside the fence is subject to ISO 9001 requirements. Everything outside is not — and your auditor will probe that boundary closely.
A well-crafted scope statement: - Establishes what your certificate covers (and what it does not) - Drives which processes, departments, and locations require documented procedures - Determines where internal audits must be conducted - Informs which clause requirements apply or can be legitimately excluded
According to the International Accreditation Forum (IAF), scope-related issues are cited in approximately 30% of all Stage 1 audit findings, making it the single most common pre-certification stumbling block.
The ISO 9001:2015 Requirements: Clause 4.3 Explained
ISO 9001:2015 clause 4.3 — Determining the scope of the quality management system — is concise but deceptively demanding. It requires your organization to determine the scope by considering:
- External and internal issues identified in clause 4.1 (context of the organization)
- Requirements of relevant interested parties identified in clause 4.2
- The products and services your organization provides
The standard also requires that your scope be available as documented information and stated as the types of products and services covered.
Critically, clause 4.3 specifies: "The organization shall apply all the requirements of this International Standard if they are applicable within the determined scope of its quality management system."
This is a common misread. The scope doesn't allow you to exclude clauses you simply find inconvenient. Exclusions are only permissible when a requirement genuinely cannot be applied and its exclusion does not affect the organization's ability to ensure conformity of products and services.
What Clause 4.3 Actually Requires You to Document
Your scope statement must include: - Types of products and/or services covered - Applicable locations or sites (if multi-site) - Any clause exclusions, with justification - A rationale connecting your scope to the context and interested party analysis from clauses 4.1 and 4.2
Step-by-Step: How to Define Your ISO 9001 QMS Scope
Step 1: Complete Your Context Analysis First (Clauses 4.1 & 4.2)
This is the step most organizations skip — and it causes major problems downstream. Your scope must be informed by your context analysis, not written in isolation.
Before drafting a single word of your scope statement, complete: - Clause 4.1: Internal and external issues (SWOT, PESTLE, or equivalent analysis) - Clause 4.2: Interested parties and their relevant requirements (customers, regulators, employees, suppliers)
Your auditor will trace a direct line from your context analysis to your scope. If they can't, expect a finding.
Step 2: Map Your Products and Services
List every product and service your organization provides. Then ask two questions for each:
- Does our quality system govern how this is designed, produced, or delivered?
- Do customers or regulators have quality requirements for this output?
If yes to either, that product or service should be in your scope. Be specific — "software development services" is more defensible than "IT services." The more precisely you name your outputs, the cleaner your scope boundary becomes.
Step 3: Identify Your Applicable Locations and Sites
For single-site organizations, this is straightforward. For multi-site operations, you must decide:
- Is each site seeking individual certification, or are all sites included under one certificate?
- Are there remote or temporary worksites that should be included?
- Are there administrative offices that support but don't perform QMS-relevant activities?
A registered office that only handles payroll, for example, may legitimately sit outside your scope. A warehouse that ships certified products almost certainly cannot.
Multi-site scope decisions have financial implications. Certification bodies typically base audit day calculations on the number of sites within scope. Each additional site adds surveillance audit costs, so the scope decision is also a budget decision.
Step 4: Identify Legitimate Clause Exclusions
Under ISO 9001:2015, clause exclusions are only permitted for clauses within Section 8 (Operation). No other section of the standard can be excluded.
Common, auditor-accepted exclusions include:
| Clause | Requirement | Common Exclusion Scenario |
|---|---|---|
| 8.3 | Design and development of products and services | Organizations that manufacture to customer-provided specifications only |
| 8.5.4 | Preservation | Service-only organizations with no physical product |
| 8.5.5 | Post-delivery activities | Organizations with no contractual post-delivery obligations |
| 8.7 (partial) | Control of nonconforming outputs | Organizations providing pure professional services |
Important: Each exclusion must be justified in writing. Stating "not applicable" without explanation is a common nonconformance. Your justification must explain why the clause cannot apply given your specific products, services, and processes — not simply that you choose not to apply it.
Step 5: Draft Your Scope Statement
A strong scope statement is specific, bounded, and traceable. Here's a practical template:
"The Quality Management System of [Organization Name] covers the [design/development/manufacture/provision] of [specific products/services] at [location(s)]. This scope excludes clause 8.3 (Design and Development) as [Organization Name] manufactures products exclusively to customer-supplied specifications and drawings."
Avoid vague language like: - ❌ "All company activities" - ❌ "Our business operations" - ❌ "Everything we do"
These phrases tell an auditor nothing and invite boundary-pushing questions during certification audits.
Step 6: Validate Your Scope Against Interested Party Requirements
Return to your clause 4.2 analysis. For each key interested party, ask: Does our scope statement capture the activities that affect their requirements?
- Customers: Does the scope include all products/services they purchase under the QMS umbrella?
- Regulators: If you're in a regulated industry (medical devices, aerospace, food safety), does the scope align with your regulatory registrations?
- Certification body: Will your scope match what appears on your ISO 9001 certificate?
Misalignment between your certificate scope and your regulatory filings is a serious compliance risk in industries like pharmaceuticals, medical devices, and aerospace.
Common Scope Definition Mistakes (And How to Avoid Them)
Mistake 1: Scoping Out Inconvenient Processes
I regularly see organizations attempt to exclude customer complaint handling, supplier management, or nonconformance processes because they're "not mature yet." This is not how exclusions work. Clause applicability is determined by your products and services — not your readiness level. If a process affects product/service conformity, it belongs in scope.
Mistake 2: Writing a Scope That's Too Broad
Broader is not better. An overly broad scope means more processes to document, more areas to audit internally, and more surveillance audit days. A manufacturer of industrial fasteners who scopes in their corporate marketing team has created work for themselves without adding quality value.
Mistake 3: Disconnecting Scope from Context
Your scope should read as a logical conclusion of your clause 4.1 and 4.2 analyses. Auditors at Stage 1 will review these documents together. If your context mentions three product lines and your scope only mentions one, expect a major nonconformance request.
Mistake 4: Failing to Update the Scope When the Business Changes
ISO 9001:2015 requires your QMS — including scope — to evolve with your organization. A scope written in 2020 for a 50-person manufacturer may be wholly inadequate for a 200-person operation that has added contract manufacturing and field service activities. Scope review should be a standing agenda item at management review meetings.
Mistake 5: Confusing Scope with Objectives
Your scope defines what your QMS covers. Your quality objectives define what you're trying to achieve. These are different documented information requirements under different clauses (4.3 vs. 6.2). Conflating them in a single document is a common documentation error that creates confusion during audits.
Scope Definition for Specific Industry Contexts
Manufacturing Organizations
For manufacturers, scope decisions typically center on whether design and development (clause 8.3) applies. If you build to your own drawings and specifications, it almost certainly does. If you build exclusively to customer-supplied prints, an 8.3 exclusion is usually defensible.
Also consider: Do you have multiple manufacturing lines producing different product families? Your scope should either encompass all of them or clearly delineate which product families are included.
Service Organizations
Service scopes are often cleaner in some respects (no physical product to preserve or identify) but trickier in others. The boundaries of a "service" are inherently less tangible than a physical product. For professional services firms, consulting practices, or IT service providers, I recommend scoping by service line and delivery methodology, not just by department.
Multi-Site Organizations
The IAF Mandatory Document IAF MD 1 provides specific guidance on multi-site certifications. Under this framework, if sites perform similar activities, a sampling approach to auditing may be acceptable. However, your scope document must still identify each included site by name and address.
Research by the British Assessment Bureau found that multi-site ISO 9001 implementations are 40% more likely to receive scope-related nonconformances than single-site implementations — largely due to inconsistencies between what sites actually do and what the centralized scope document claims.
Small and Medium Enterprises (SMEs)
For SMEs, the temptation is to write an expansive scope to appear more impressive to prospective customers. Resist it. A tightly defined, well-executed scope earns more customer confidence than an ambitious scope that your QMS can't actually support. At Certify Consulting, I consistently advise clients: certify what you do, then expand what you certify.
How Your Scope Affects Your Certificate
Your ISO 9001 certificate will display a scope statement — typically a condensed version of your documented QMS scope. This is the statement customers, procurement departments, and regulatory bodies will see when they verify your certification.
Certificate scope wording is agreed between you and your certification body at the Stage 1 audit. It's worth investing time to craft language that:
- Accurately reflects your certified activities
- Is meaningful to customers in your industry (avoid internal jargon)
- Aligns with how you describe your business in proposals and contracts
A mismatch between your certificate scope and how you represent your capabilities in a contract can create contractual and liability exposure, particularly in regulated industries.
Scope Documentation: What You Need to Have Ready for Audit
For a clean Stage 1 audit, you should have the following documented and cross-referenced:
| Document | Clause Reference | Key Content |
|---|---|---|
| Context of the Organization | 4.1 | Internal/external issues analysis |
| Interested Parties Register | 4.2 | Stakeholders and their requirements |
| QMS Scope Statement | 4.3 | Products/services, locations, exclusions |
| Exclusion Justifications | 4.3 | Written rationale for each excluded clause |
| Process Map or Turtle Diagram | 4.4 | Interaction of QMS processes |
These five documents form the foundation of your QMS architecture. An auditor reviewing them should be able to understand your business, your stakeholders, and your system boundaries without asking a single question.
Scope Definition Checklist
Use this checklist before submitting your QMS documentation package to your certification body:
- [ ] Context analysis (4.1) is complete and documented
- [ ] Interested parties register (4.2) is complete and referenced
- [ ] Scope statement identifies specific products and/or services
- [ ] Scope statement identifies applicable location(s)
- [ ] All clause exclusions are listed with written justification
- [ ] Exclusions are limited to Section 8 clauses only
- [ ] Scope is consistent with your regulatory registrations (if applicable)
- [ ] Scope has been reviewed and approved by top management
- [ ] Scope is available as documented information (controlled document)
- [ ] Scope will be reviewed at each management review cycle
Final Thoughts: Scope as Strategy, Not Just Compliance
I want to leave you with a mindset shift that I share with every client at Certify Consulting. Too many organizations treat scope definition as a paperwork exercise — something to get through so they can move on to the "real" work of building the QMS.
That's exactly backwards.
The scope of your QMS is a strategic declaration. It tells the world what you stand behind, what quality commitments you're making, and where your accountability begins and ends. Organizations that approach scope thoughtfully — connecting it to their context, their customers, and their strategic direction — consistently build stronger QMSs that perform better in audits and deliver measurable business results.
At Certify Consulting, our 100% first-time audit pass rate across 200+ clients is built on one foundational principle: get the fundamentals right first. Scope definition is the first fundamental.
If you're unsure whether your current scope statement will hold up under auditor scrutiny, I'd encourage you to review our ISO 9001 documentation requirements guide for additional context on how your scope fits into the broader documented information framework.
You can also explore our breakdown of ISO 9001 clause 4 requirements to ensure your context analysis is providing the right foundation for your scope decisions.
For personalized guidance, visit certify.consulting to learn how we help organizations achieve first-time certification success.
Last updated: 2026-04-14
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.