Defining scope

Answer:

Considering the scenario you presented, we could point out two main concerns of your customers: the protection of their information that are under your responsibility (e.g., company data, project's requirements, etc.), and that your IT projects solutions are capable to protect their information in their operational environment.

With these concerns, you may consider three options:
- if your company has less than 50 employees, the best approach would be to implement the ISMS in the whole organization, since the effort to implement and manage an ISMS only for a part of such smal l organization wouldn't pay off.
- if your company has 250 to 500 employees, you should consider defining your project scope to implement an ISMS to protect the process you use to develop your IT solution (you can not certify a product or service, only the processes, locations and information related to them).
- if your organization number of employees is between 50 to 250, then you should evaluate your context to see what approach would be best for you.

These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/