Defining scope

A chip manufacturing organization would like to go for ISO 27001 and want to include only IT managed services in the scope. IT managed services is a support organization and helping the entire business but their labs environment is different and would like to keep it out of scope from ISO 27001. Is that possible?

Answer:

ISO 27001 does not require the ISMS scope to be all the organization, so it can be defined only as a small part if it will fulfill its needs and objectives.

What you should consider is if the defined scope will protect the information the business considers relevant. For example if you define only the IT managed services as the scope, but the information it handles also is used in the labs environment, at the labs it may not be properly protected.
These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms -scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/