What is a scope?

The scope refers to the segment of IT infrastructure responsible for mission-critical business processes. This specific part of the infrastructure falls under the requirements outlined in the Checklist. If the scope is not clearly defined and isolated, the entire corporate infrastructure will be considered within the scope.

As you’ve already noted, the first step in understanding the scope is defining what "mission-critical business processes" mean for the entire organization. There isn’t a single correct answer to this question, as each organization’s definition will depend on its unique business objectives and operations.

Identifying mission-critical business processes is not a technical task. This responsibility initially falls on the business development, operations, and compliance teams. Once these processes are clearly outlined, the IT team steps in to identify all information systems supporting these processes. The resulting list of such systems is referred to as "mission-critical systems."

Another crucial aspect of defining the scope is knowing where to set boundaries. Without clear limits, you might end up including an overly broad range of systems, even extending to global communications infrastructure.

For this checklist, the scope should focus on systems the company can directly control, such as virtual machines, code repositories, and internal servers. Systems managed by third-party service providers (e.g., ISPs, cloud platforms) fall outside this direct control. Risks associated with these external systems should be addressed through service contracts. If risk negotiation isn’t feasible, providers should be selected based on their track record and reliability.