Are you able to help clarify our ISMS scope please? We have just started this process and I want to make sure I understand properly.
Question 1 Scope - Processes and Services
We are an IT company that has 2 cloud-based applications which we own, build and license to our customers. We are responsible for the data in these two systems and they are the reason we are undertaking the 27001 certification. So these two applications are obviously included in the Processes and Services part of our scope.
We also use multiple other cloud based services that contain our customer data including ***, ***, ***, ***, etc.
Am I right in saying that these third party systems can be excluded from our scope because it is the responsibility of the third parties (like ***) to secure the data we store in these systems?
Therefore, is it valid to say that the full extent of our Processes and Services scope should be our 2 applications?
Question 2 - IT Networks and Infrastructure
Our applications live in an ***. I've read your article on defining the scope with cloud servers. I think we're number 4 in that list. That is: The organization uses a third-party platform (public PaaS).
2.1 - So in scope would be our two applications and the data within them but all Networks and Infrastructure are out of scope?
2.2. - Have I overlooked something here? Is it valid to limit the scope to the applications we own/build/license to our customers?
2. 3 - Thanks for your help. Please also confirm which email address we should address our questions to.