Documenting scope of ISMS

Outsourced departments, networks, and infrastructure do not need to be included in the ISMS scope. You can define them as scope exclusions, explaining that such elements are outsourced.

For further information about ISMS scope, please see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

If we do not include outsourced IT services in our ISMS scope, does it mean we also do not need to apply all technical controls in SOA?

Thanks for your reply Rhand Leal, and also for your company's free lessons which is very helpful.

Please note that the application of controls in SoA is not necessarily related to the ISMS scope, but to the results of risks assessment and identified applicable legal requirements (e.g., laws, regulations, and contracts). This means that some controls will be implemented by your company, and some controls by your suppliers or partners.

For example, even if you do not include outsourced IT services in our ISMS scope, you may have a contract with a customer requiring the implementation of technical control, then this technical control needs to be stated in the SoA as applicable and implemented by your supplier.