Defining scope

Answer:

According to ISO 27001, an ISMS scope must be defined in terms of information, locations or business units to be protected, considering the organization's objectives and context.
For small and mid-size organizations (up to 100 employees) often it is better to include all the organization in the scope, because the effort to keep only a part of the organization in the scope is not worthy. For bigger organizations defining a smaller scope may be better to reduce the costs and effort to what really matters for business objectives.

These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding defining scope:
- Book Secu re & Simple: A Small-Business Guide to implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/