We're working with the documents and the process goes well overall.
I do have a question on defining the scope of the ISMS. We are a software consulting company, we have our own products, but we also deliver development services to customers. I want to express that software that we develop and manage (SaaS) on our own terms (our own products) fall within the scope of the ISMS. When we work for customers, we want to follow whatever guidelines our customer asks for. In addition to the software development services themselves, the overall IT infrastructure and security of all departments (backups, password rules, network security, anti-virus rules, ...) by our personnel should in general fall within the scope of our ISMS. I wrote down the scope as below, but I wonder if the last bullet point is not too broad, pulling *all* general processes within the scope of the ISMS (e.g. company car policy?). What's your opinion on the definition of the scope of our ISMS as stated below? Any suggestions to get closer to what I described above?
The following processes and services are included:
The software development life cycle processes of *** software products.
The operational processes of *** SAAS products including SAAS products hosted in the cloud.
Software development services delivered to third parties, insofar contractual agreements contain Secure software development life cycle requirements (SDLC).
System administration services delivered to third parties, insofar contractual agreements contain ISMS requirements.
Internal general processes, and operations (e.g., HR, Finance, Accounting, Sales, ...).