I would like to start off with a scope that includes the information stored in our datacenters.
But, when I look at the ISO 27001 standard, it states quite clearly that;
When determining the scope, the organization shall consider;
a) the external and internal issues referred to 4.1 (Understanding the organization and its context)
b) the requirements referred to in 4.2 (Understanding the needs and expectations of interested parties)
c) interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.
I refer in particular to point c). We use 3rd party suppliers, some of whom process our client data (which is stored in our datacenter), and I was wondering that if I only include the information that is stored in our datacenter in the scope, and if I don’t include 3rd parties in the scope, will the ISMS fail the audit. Or is it simply enough to say that we have controls and polices in place around the data that is stored in our data center and these controls pertain to 3rd parties and who process some of that data that resides in our datacenter.