The objective of this activity is to define the scope of the department’s IT security risk management
activities. The scope can be characterized by:
• The department’s programs, services, and business activities requiring protection;
• The major departmental IT assets (e.g., business applications, information systems, data centers,
local areas networks, data processed and stored) and their geographical locations; and
• The core technologies that are used in departmental information systems.
The scope should clearly delineate the departmental business activities and IT assets that are within the
scope’s boundaries, and those that are excluded and why. The scope should also identify external
dependencies such as the IT services of external service providers.
The output of this activity is a definition of the scope of the department’s IT security risk management
activities.