In smaller companies, it is usually a person who is in charge of the ISO 27001 implementation (e.g., a Security officer) that writes the draft of the ISMS scope document. However, it is the top management that needs to approve the ISMS scope since this scope needs to be aligned with the expectations of the top management about what it wants to achieve with this implementation.