I have a little problem or a concept that I want to ask related to ISO 27001 scope and ISMS
let for example a new startup start and when they have 20 employee they will try to certify themselves and they got certified and they certified whole organization because they CEO think that it will help them in market as well in information security
and when they grow and when they have about for example 3000 employee they understand that they didn't need to certify every bit of area of organization with iso 27001 and they just want to change they scope from whole organization to only for those information about they employee and they customer so at the end they can able to do that or not????
i know a gave a example that we can't see in our real life but we can do that or not??
wait for you reply
hope you will understand what i want to say :)