27001 ISMS Scope Question

Question 1 Scope - Processes and Services

We are an IT company that has 2 cloud-based applications which we own, build and license to our customers. We are responsible for the data in these two systems and they are the reason we are undertaking the 27001 certification. So these two applications are obviously included in the Processes and Services part of our scope.

We also use multiple other cloud based services that contain our customer data including ***, ***, ***, ***, etc.

Am I right in saying that these third party systems can be excluded from our scope because it is the responsibility of the third parties (like ***) to secure the data we store in these systems?

Therefore, is it valid to say that the full extent of our Processes and Services scope should be our 2 applications?

Answer: First is important to note that an ISMS scope compliant with ISO 27001 cannot be defined in terms of systems and technologies. It must be defined in terms of information, processes, or locations to be protected.

Since you want to focus on the applications, you should consider for the scope the development, operation and maintenance processes related to these applications.

Considering that, you can include in the scope only the elements you control.

About third parties, you can exclude third party systems from your scope (e.g., when using cloud servers, you exclude the physical server of the cloud provider). 

These materials will help you regarding scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ 
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Question 2 - IT Networks and Infrastructure

Our applications live in an ***. I've read your article on defining the scope with cloud servers. I think we're number 4 in that list. That is: The organization uses a third-party platform (public PaaS). 

2.1 - So in scope would be our two applications and the data within them but all Networks and Infrastructure are out of scope?

Answer: Your assumption is correct (Networks and Infrastructure are out of scope), but please note that the scope definition must be made in terms of the data or processes to be protected, so statement about your scope should be something like:

“The scope are the development, operation and maintenance processes of applications XXX in our PaaS environment”.

“The scope is the data stored and processed by applications XXXX in our PaaS environment”.

2.2. - Have I overlooked something here? Is it valid to limit the scope to the applications we own/build/license to our customers?

Answer: First is important to note that you cannot define the ISMS scope in terms of applications. In this case, you need to define the scope in terms of the process to maintain and operate the applications.

Considering that, you can limit the ISMS scope to only part of your organization, but you need to verify first if the effort to implement this separation is worthy (for small organizations up to 50 employees, defining the ISMS scope as the whole organization is more practical).

This article will provide you a further explanation about scope definition:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2. 3 - Thanks for your help. Please also confirm which email address we should address our questions to.

Answer: In the future, if you want to contact us you can use this e-mail: support@advisera.com