The devil is in the details, and in ITSM implementations!

Vague or high-level scope definitions are one of the most common causes of failure or friction. Each scope area must be broken down clearly, with agreed assumptions, responsibilities, and boundaries.

· ITSM

Let’s walk through how to detail each scope element properly, with practical examples and what questions you should answer during scope definition.

1. Processes to Be Implemented — Detailed Definition

Instead of just saying “Incident Management,” clarify:

  • What is the entry point? (email, portal, phone, API)
  • Is there categorization/sub-categorization logic?

Who owns the process and approvals?

  • Escalation rules?
  • How are SLAs calculated — by service, priority, or both?
  • Are major incidents treated differently?

Good Example:

“Incident Management process includes logging via portal/email, automatic assignment based on service and location, SLA-based escalation to team leaders, and integration with on-call schedules. Major Incidents will trigger a separate workflow with defined stakeholder notifications.”

2. Modules/Features — Detailed Scope

Avoid saying: “Service Catalog included.” Instead clarify:

How many service items?

  • Are they requestable or informational?
  • Do they require approval chains?
  • What’s the fulfillment workflow per item?

Good Example:

“Service catalog will include 15 requestable items across IT and Facilities, with dynamic forms, approval matrix by department, and fulfillment tasks assigned to respective owners.”

3. Organizational Units

  • Are all departments included or just IT?
  • Are external users (vendors, customers) in scope?
  • Are support hours the same for all units?

Good Example:

“Implementation will cover IT and HR departments in Phase 1, with separate support queues, working hours, and SLA policies.”

4. Roles and Permissions

  • Define who can do what — and how many users per role.
  • Do they need access to multiple departments or queues?

Good Example:

“There will be 50 service desk agents, 10 process managers, and 500 end-users. Permissions will be role-based and aligned with Active Directory groups.”

5. Integrations

  • Is it one-way or two-way sync?
  • What data fields are exchanged?
  • Frequency of sync and authentication method?

Good Example:

“AD integration to sync users hourly using LDAP over SSL. Monitoring tool will create incidents via REST API with ticket ID feedback loop.”

Would you like a detailed scope template or checklist that you can use with vendors and stakeholders to ensure nothing gets missed?