I suspect that you're looking at either writing a infosec risk assessment or carrying out something akin to threat modelling, unless you are looking at carrying out an impact assessment of a proposed change that could affect a known class of assets.
@ofaheem1974 wrote:Now, the thing I am looking for is that I have to write this procedure so that if somebody sees my SOP, they can quickly understand what they could write in Scope.
This may be a hard topic to speak about generically, but something that might help trigger your thinking is that the main purpose of an impact analysis/assessment is to determine how a proposed change impacts the security posture of a system. For example does a new corporate logo impact the security of the company's web site? In this regard, everything is anchored to a change request, and so that request, if thorough enough, should help define the scope. In contrast, you're not bringing into play things unrelated to the change.
It's a bit like writing a testing procedure. If you have a product that has a new firmware update, your scope of testing will focus on that firmware. You're not (probably) putting it through physical tests (dropping etc.).
That said, an SIA can cause you to overlook some things. A new company logo may seem to be nothing, but now in the context of the LogoFail vulnerability, it could be a big deal. But you have to start somewhere. Your focus, your scope is only on what is changing.