| Where does it say we have to audit the scope?
Where does it say in ISO/IEC 27001 we have to audit the scope before we engage with a certification auditor?
To answer this question, we first must look at ISO/IEC 27006 - Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems.
Clause 188.8.131.52 - IS 9.1.3 Review periods
The certification body shall not certify an ISMS unless it has been operated through at least one management review and one internal ISMS audit covering the scope of certification.
No matter if it is the first time you are seeking certification for the scope or you are expanding the scope to other offices and facilities, always make sure that a Management review and internal audit has been conducted.
The management review can be used by top management to sign off the management system as operational, this way evidencing to the certification auditor, that they understand their responsibilities.