Just boil the ocean.
—Will Rogers, American humorist,
A proposed solution to the threat of submarines (1917)
Scope, simply, is what you care about protecting based on what your compliance and risk analysis uncovers. The assets, processes, and personnel in the scope are where you focus your controls to reduce risk. Since it isn’t always feasible to defend all your assets from all the threats, scope answers the question about what must be protected. The following are some examples of scoped assets:
Cardholder data, financial transaction data, protected health information
IT systems storing, processing, ...