This policy establishes the scope of a company's information security management system and characterizes the interfaces of its environment in terms of processes and technical infrastructure.

The scope of the system can be defined using different perspectives: the company’s hierarchical and functional risk organization, business and support processes, and interfaces to its environment. The system is risk driven; therefore, operational security to assure that the company business processes are directly derived from the company's business requirements. The risk management perspective considering business operations defines the scope of the system.