According to ISO 22301:2019, Clause 4.3, "Determining the scope of the business continuity management system," the organization must define the boundaries and applicability of the BCMS. This scope must be available as documented information. By defining the boundaries of what is included (e.g., specific locations, processes, products, services), the organization inherently and explicitly documents what is excluded. This clarity is crucial for interested parties to understand the extent and limits of the BCMS's coverage. The justification for these boundaries, and therefore any exclusions, is derived from the analysis of the organization's context and the requirements of its interested parties.

A. The scope must consider both internal and external issues, as well as the needs of interested parties, not just internal needs (ISO 22301:2019, Clauses 4.1 & 4.2).

B. The BCMS can be applied to the entire organization or to specific parts of it; it is not required to always cover the whole organization (ISO 22301:2019, Clause 4.3.1).

D. The scope must be reviewed and can be changed to ensure its continued suitability, especially as part of management reviews and continual improvement processes (ISO 22301:2019, Clause 9.3).

1. International Organization for Standardization (ISO). (2019). ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements.

Clause 4.3.1 General: States, "The organization shall determine the boundaries and applicability of the business continuity management system to establish its scope."

Clause 4.3.2 Scope of the BCMS: Mandates that "The organization shall: a) define the scope by determining the boundaries and applicability of the BCMS... b) document the scope and make it available." This documentation of boundaries serves to clarify inclusions and exclusions.

2. Herbane, B. (2019). Rethinking business continuity management. Business Horizons, 62(5), 553-563.

Section 3, "A strategic perspective on BCM" (p. 556): The paper discusses the strategic alignment of BCM, which necessitates a clearly defined and justified scope. It implies that the rationale for the BCMS's boundaries (including what is not covered) must be understood and communicated, aligning with the principle of documenting and explaining exclusions. DOI: https://doi.org/10.1016/j.bushor.2019.05.003

3. Järveläinen, J. (2013). IT incidents and business impacts: A classification and the role of business continuity management. International Journal of Information Management, 33(5), 742-750.

Section 4.2, "Business continuity management" (p. 746): This article emphasizes that a key activity in BCM is defining the scope, which involves identifying critical business processes. This selection process inherently excludes non-critical processes, and the rationale for this scoping must be clear and documented for the BCMS to be effective. DOI: https://doi.org/10.1016/j.ijinfomgt.2013.05.003