Environment and Scope

1 - As a higher education institution, we operate in a hybrid environment encompassing cloud and on-premise resources, third-party services, as well as both in-house and outsourced application development. Our ISMS scope is currently confined to the IT department. Given this, which assets should we include in our ISMS? 

Since the current ISMS scope is confined to the IT department, the assets to be considered for the ISMS should be those directly under the control of the IT department (e.g., on-premise resources, in-house application development, data for SaaS, data and applications for IaaS etc.).

2 - Should it be limited to IT assets such as infrastructure, servers, network systems, applications, data centers, UPS, air conditioning, connectivity, and IT human resources? Or should we extend the scope to include departments like HR and Procurement?

Each company can decide what ISMS scope best fits their needs. This is usually done based on customer requirements - if the customers require only the IT department to be certified, then this is usually enough.

3 - When it comes to setting our ISMS objectives, considering the scope is limited to the IT department, should the security objectives also be confined to IT-related security measures?

Besides the IT-related security objectives, the ISMS objectives should also be considered in terms of added value to the company. For example, to decrease the number of information security incidents by 50% in the next year.

These articles will provide you with further explanation about defining the ISMS scope and objectives:

• All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

This tool for defining the ISO 27001 ISMS scope can also help you.