Sign in Subscribe
6 min read Cybersecurity Strategy

The Most Dangerous Sentence in Information Security? “That’s Not in Scope.”

The most dangerous security gap is often not a vulnerability—it is an exclusion. Why ISMS scope is not documentation, but a governance decision that determines what an organization chooses to see, govern, and ultimately protect.
Share
The Most Dangerous Sentence in Information Security? “That’s Not in Scope.”
Prompted by E. Mehler, generated with ChatGPT

If your ISMS scope feels like documentation, you are not managing security—you are managing blind spots

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

I have spent much of my career discussing threats.

Malware.
Ransomware.
Insider risks.
Nation-state actors.
Supply chain attacks.

Today, I worry about something else.

Something far more common.
Something entirely self-inflicted.

A sentence.

A sentence that appears harmless in governance meetings, project reviews, audits, and transformation programs.

A sentence that can quietly undermine years of security investment.

“That’s not in scope.”

Few statements reveal more about an organization’s security posture.

Not because they describe a technical limitation.

But because they expose a governance decision.

And governance decisions have consequences.

The Most Dangerous Risks Are Often the Ones We Choose Not to See

One of the biggest lessons I have learned as a CISO is that organizations rarely fail because they are unaware of threats.

They fail because they choose not to look at certain realities.

Most security incidents are not caused by a lack of information.

They are caused by a lack of visibility, ownership, or willingness to confront uncomfortable truths.

This is why I no longer begin by asking whether an organization is secure.

I ask a different question:

Where has the organization deliberately decided not to look?

The answer often leads directly to the scope of the Information Security Management System.

Scope Is Not Documentation

Many organizations still treat scope as an administrative exercise.

  • A paragraph in a policy.
  • A section in an audit document.
  • A requirement for certification.
  • Something auditors need.
  • Something consultants write.
  • Something executives approve once and never revisit.

But that view fundamentally misunderstands what scope actually is.

The scope of an ISMS is not a description of the organization.

It is a declaration of governance intent.

It defines which parts of reality the organization has agreed to govern.

Inside the scope:

  • Risks are assessed.
  • Controls are implemented.
  • Monitoring occurs.
  • Accountability exists.
  • Resources are allocated.

Outside the scope:

  • None of these obligations necessarily apply.

That distinction matters.

Because attackers do not care about organizational boundaries.

Threat actors do not read scope statements.

Business disruptions do not respect certification limits.

Reality operates outside governance diagrams.

Certification Creates a Dangerous Illusion

ISO/IEC 27001 certification has enormous value.

It creates structure.

It establishes accountability.

It introduces discipline.

But certification can also create false confidence.

Over the years, I have encountered organizations that proudly displayed their certificates while critical business functions remained only vaguely connected to the ISMS.

The certificate was valid.

The governance model was not.

Identity platforms controlling access to thousands of users were treated as generic IT infrastructure.

Cloud environments hosting critical workloads existed in architectural diagrams but not in security governance processes.

Major enterprise applications operated under assumptions rather than explicitly documented ownership and risk treatment.

Everything appeared compliant.

Until someone asked a simple question:

“Where exactly is this governed?”

And suddenly nobody was entirely sure.

This is where certification can become dangerous.

Because certification demonstrates conformity to a defined scope.

It does not automatically prove that the scope itself reflects reality.

The Cost Nobody Talks About

When organizations discuss information security costs, conversations typically focus on tools.

  • Security platforms.
  • Cloud security solutions.
  • Managed services.
  • Consultants.
  • Artificial intelligence.

But one of the most significant cost drivers is rarely discussed.

Scope.

Scope determines:

  • How many assets are governed.
  • How many risks must be assessed.
  • How many controls must be implemented.
  • How much evidence must be maintained.
  • How much monitoring must occur.
  • How much audit activity is required.

In practice, poor scope decisions create two equally destructive outcomes.

Over-Scoping

Some organizations attempt to include everything.

  • Every system.
  • Every process.
  • Every location.
  • Every asset.

The result is predictable.

Security teams become overwhelmed.

Documentation expands endlessly.

Prioritization disappears.

Governance becomes bureaucratic.

Security becomes expensive without becoming effective.

Under-Scoping

Other organizations move in the opposite direction.

They narrowly define boundaries.

They exclude complexity.

They avoid politically difficult discussions.

The result appears efficient.

Fewer risks.

Fewer controls.

Fewer audits.

Lower costs.

But what has actually been achieved is not efficiency.

It is invisibility.

The organization creates the appearance of control while systematically excluding areas where control is most needed.

Security becomes cheaper.

And significantly less meaningful.

Scope Is a Governance Instrument

One reason scope discussions are often avoided is that they quickly become political.

Not technical.

Political.

Because scope answers uncomfortable questions.

  • Who owns the risk?
  • Who funds the controls?
  • Who accepts the exposure?
  • Who becomes accountable when things go wrong?

Suddenly, scope is no longer a documentation topic.

It becomes a leadership topic.

And this is precisely why many organizations unconsciously avoid mature scope management.

Instead, they define boundaries according to organizational charts.

Business units become exclusions.

Transformation programs become temporary exceptions.

Cloud environments become “shared responsibility.”

Artificial intelligence initiatives become innovation projects.

Partner ecosystems become procurement issues.

Each exclusion reduces immediate friction.

But every exclusion also creates hidden risk.

The risk still exists.

Only the visibility disappears.

The SAP Question

Whenever I evaluate governance maturity, I often use a simple test.

I ask:

“Is SAP explicitly in scope?”

Most organizations answer immediately.

“Of course.”

Then I ask the second question.

“How?”

And the conversation changes.

  • Which business processes?
  • Which information assets?
  • Which cloud services?
  • Which integrations?
  • Which third-party providers?
  • Which accountability structures?
  • Which risk owners?
  • Which monitoring mechanisms?
  • Which recovery objectives?

Suddenly certainty disappears.

Because including a system in scope is not the same as governing it.

For multinational organizations, enterprise platforms such as SAP frequently represent one of the most critical intersections between business continuity, financial integrity, compliance, privacy, and cybersecurity.

If governance around such systems remains vague, the organization may be operating under one of the most significant hidden risks in its environment.

Why AI Will Make Scope Management Harder

The challenge becomes even greater with artificial intelligence.

Traditional scope discussions assume relatively stable systems.

  • Applications.
  • Infrastructure.
  • Processes.
  • Organizational units.

AI changes this assumption.

AI systems increasingly influence decisions rather than simply support them.

  • They affect workflows.
  • Knowledge management.
  • Risk assessment.
  • Procurement.
  • Human resources.
  • Customer interaction.
  • Operational decision-making.
The question is no longer whether AI is inside the scope.
The question becomes:
How do we define scope when decision-making itself becomes distributed across humans and machines?

Organizations that still view scope as static documentation will struggle to answer this question.

Organizations that treat scope as an evolving governance mechanism will adapt.

Scope Must Evolve Faster Than Audits

One of the most common mistakes I see is reviewing scope primarily during audit cycles.

Reality does not change annually.

Reality changes continuously.

Cloud adoption accelerates.

New suppliers are introduced.

Business models evolve.

Countries are added.

Partnerships expand.

Acquisitions occur.

AI capabilities emerge.

Digital ecosystems grow.

If the ISMS scope changes only when auditors arrive, governance inevitably falls behind reality.

And once governance falls behind reality, risk management becomes reactive rather than strategic.

Mature organizations understand that scope management is not an audit activity.

It is a business activity.

What CISOs Must Do Differently

Many CISOs invest enormous effort in improving controls.

Improving awareness.

Improving detection.

Improving response.

All of these are important.

But there is a more fundamental question.

What exactly are we governing?

Because every control, every risk assessment, every audit, every KPI, and every management review ultimately depends on the answer.

This requires a shift in mindset.

From:

“Defining scope for certification.”

To:

“Designing scope for governance.”

That means:

  • Aligning scope with business-critical processes.
  • Explicitly governing strategic systems.
  • Making exclusions transparent.
  • Assigning ownership for excluded risks.
  • Reviewing scope continuously during transformation.
  • Treating scope changes as executive decisions.

Not administrative updates.

Executive decisions.

Because that is what they actually are.

Final Thought

Every organization creates blind spots.

That is inevitable.

No governance system can cover everything.

The question is whether those blind spots are deliberate, visible, and managed.

Or accidental, invisible, and ignored.

Security without ownership is fiction.

Ownership without visibility is reckless.

And visibility begins with one deceptively simple question:

What exactly have we decided to see—and what have we decided to ignore?

The answer is not hidden in your risk register.

It is hidden in your scope.

And that answer may tell you far more about your security posture than any audit report ever will.

Publication Note & Disclaimer
This article was originally published on LinkedIn on April 9, 2026 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

You might also like...

17
Jun
AI in the SOC: Why We Didn’t Gain Control — We Scaled Complexity

AI in the SOC: Why We Didn’t Gain Control — We Scaled Complexity

AI promised control, speed, and automation in the SOC. Instead, many organizations scaled complexity. Why the future of security operations is not about more intelligence—but about governance, explainability, and decision quality.
6 min read
16
Jun
Annex A Is Not a Security Strategy

Annex A Is Not a Security Strategy

Most organizations mistake Annex A for a security strategy. It isn’t. The greatest cybersecurity failures of the next decade may not come from missing controls, but from unchallenged assumptions about cloud, AI, resilience, and dependency.
6 min read
16
Jun
The Security Requirements Nobody Wants to Write

The Security Requirements Nobody Wants to Write

Security is no longer defined by the controls you implement, but by the dependencies you govern. The modern CISO’s role is not merely to protect systems—it is to ensure the organization remains in control when its assumptions fail.
5 min read
16
Jun
Privacy Is Complicated. Information Security Is Complex.

Privacy Is Complicated. Information Security Is Complex.

Privacy is complicated. Information security is complex. Boards, CISOs, CIOs and DPOs must understand the difference to build governance that creates real trust — not just documentation.
13 min read
16
Jun
Digital Trust Frameworks and the Quiet Erosion of Security Governance

Digital Trust Frameworks and the Quiet Erosion of Security Governance

Digital Trust Frameworks promise alignment across cybersecurity, privacy, AI and resilience. But what happens when governance quietly disappears into operations? A CISO perspective on why accountability—not architecture—is the true foundation of digital trust.
5 min read

Member discussion