4.3 Determining the scope of the security management system

ISO 28000:2022 clause 4.3 requires an organization to define the boundaries and applicability of its security management system, identifying relevant sites, activities, products, services, and interested parties. This establishes what will be covered, excluded and the context for security objectives and controls, ensuring the system is tailored to the organization's risk profile and operational environment.