Defining scope

Answer:

The most important criteria you have to adopt for defining the ISMS scope are:
- which information you want to protect.
- by where this information flows, and where they are processed and stored.
- the effort to keep the environment you want to protect separated from the rest of the environment.

For example, for organizations up to 50 employees normally it is easier to define the wholly organization inside the ISMS scope. In your case, if the information is contained in specific departments, may be easier to define only these departments in the scope (if not then you should define the wholly organization inside the ISMS scope).

Regarding the remote workers, normally you do not control the environment where they are, so the se are kept out of the scope, and you treat remote access as a risk in your assessment.

These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

If you believe you still need support for defining the scope, you an schedule a meeting with one of our experts at this link: https://advisera.com/27001academy/consultation/