Implementing ISO 27001 for outsourced SOC services

I would like to know the following:

1. What is the best practice (from ISO 27001 and Governance perspective) for ownership of processes. Should these be under the SOC team, Corporate IT or other role?

Answer: In this case there is no definitive answer on how to implement an ISO 27001 ISMS, because depending on the organizational context, legal requirements and business objectives, one approach can be better than the other.

The ownership of processes should be designated to the entity in the organization with the authority to make and enforce the changes and adjustments required to achieve the proper level of security. In some organizations the SOC team has this level of authority, but in others this authority remains with the head of IT department or even with the main executive (in small organizations) .

For further information, please read:
- Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/

2 . Traditionally the SOC team has done whatever they want and purchased assets (systems, applications, etc). What is the recommendation for ownership of assets? Should this be under the SOC team, Corporate IT or other role?
Answer: About ownership of assets, it should be designated to roles that can be made accountable for the protection of the asset. Since this is an issue more operational, you can consider the SOC team as responsible for the assets.
For further information, please read:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

3 . Since the scope is the services provided by the SOC, how should the ISO 27001 documents be handled? Should they be written in the context of applying controls on the systems used by the SOC or in the context of systems the SOC supports for the customers?

Answer: The best approach would be integrating controls on existing documentation, since this way the security will be perceived as part of the process, and it will easier to be understood and used.
For further information, please read:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/