Defining the scope of the ISMS
We're working with the documents and the process goes well overall.
I do have a question on defining the scope of the ISMS. We are a software consulting company, we have our own products, but we also deliver development services to customers. I want to express that software that we develop and manage (SaaS) on our own terms (our own products) fall within the scope of the ISMS. When we work for customers, we want to follow whatever guidelines our customer asks for. In addition to the software development services themselves, the overall IT infrastructure and security of all departments (backups, password rules, network security, anti-virus rules, ...) by our personnel should in general fall within the scope of our ISMS. I wrote down the scope as below, but I wonder if the last bullet point is not too broad, pulling *all* general processes within the scope of the ISMS (e.g. company car policy?). What's your opinion on the definition of the scope of our ISMS as stated below? Any suggestions to get closer to what I described above?
The following processes and services are included:
The software development life cycle processes of *** software products.
The operational processes of *** SAAS products including SAAS products hosted in the cloud.
Software development services delivered to third parties, insofar contractual agreements contain Secure software development life cycle requirements (SDLC).
System administration services delivered to third parties, insofar contractual agreements contain ISMS requirements.
Internal general processes, and operations (e.g., HR, Finance, Accounting, Sales, ...).
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Considering you referred to “…overall IT infrastructure and security of all departments…”, then your last bullet makes sense because it basically defines all your organization in your ISMS scope.
In case you want something specific out of the scope (e.g., a specific process or department), you can state this part as an exclusion in your scope document.
Please note that you do not need to include in the scope references to contractual agreements (this may unnecessarily restrict your scope) because these can be defined in a separated document (the List of Regulatory, Contractual and Other Requirements template, include in folder 2 of your ISO 27001 Documentation Toolkit).
These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 05, 2021