Clarification on Scope of Work

1. What should be important considerations while defining Out of Scope in Statement of applicability?

I'm assuming that by "Out of Scope" you are meaning controls that are not applicable.

Considering that, for a control to be considered not applicable in the Statement of applicability you have to be sure that:

• there are no relevant risks you decided to treat that need this particular control to become acceptable risks
• there are no legal requirements (e.g., laws, regulations, or contracts) that require this particular to be implemented

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. If I have some systems which are currently running on obsolete technology or not in support technology, what does that mean for my ISO 27001 Stage 2 assessment and what impact it can have on certification?

If the information security risks related to these systems running in this situation are identified and evaluated as acceptable by your organization, then this situation won't have an impact in your certification process, because you performed the risk assessment and risk treatment required by the standard (ISO 27001 does  not require you to treat all risks, only those considered unacceptable)

On the other hand, if you consider the risks related to this technology as not acceptable, you will have to implement applicable controls (safeguards) before going to the Stage 2 certification audit.

These articles will provide you a further explanation about the certification audit:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/