The scope should be specific enough that a reviewer can tell what is included, what is excluded, and why.
In scope
Use this section to list the actual boundaries adopted by Helixiora. A typical starting point is:
- the Helixiora legal entities and functions that design, build, operate, or support customer-facing services
- cloud platforms, internal tooling, endpoints, identities, and repositories used to deliver those services
- information assets handled by personnel, contractors, and approved suppliers in support of operations
Out of scope
Document any exclusions explicitly. For each exclusion, record:
- what is excluded
- why it is excluded
- which interface or dependency still needs to be managed
Interested parties
Typical interested parties include:
- customers and prospects
- personnel and contractors
- regulators and supervisory bodies
- suppliers and critical service providers
- leadership and investors
List the security or compliance expectations that matter most for each party.
Assumptions and constraints
Capture the assumptions that shape the scope, such as shared-responsibility boundaries, reliance on managed platforms, or the absence of on-premise infrastructure.