Good morning ,
Could you help me with a practical guide and/or examples to help me establish the scope of my Information Security Management System (ISMS) and comply with ISO 27001:2013.
What considerations should I take into account to establish the scope of the ISMS?
I give a context of My Organization:
My Company has a Mixed Operations model: Employees in telecommuting mode and some employees in a Physical office and we occasionally rent a Coworking for meetings or for some group activities and/or meetings with clients.
In the short term we will only have Telecommuting Employees and we will deliver the Physical Office
All our application servers are in the cloud (we have a private cloud) we use Microsoft Office 365 and google gsuite, zoom.
Employees from software development, designers, analysts and data scientists connect via VPN to the private cloud and each have a virtualized Windows 10 computer for their work.
Salespeople do not connect via vpn to the private cloud, they only use web applications (Office 365, google gsuite, zoom, crm).
The accounting area is connected by remote desktop to its own server in the private cloud of It is an RDP server (Remote Desktop server)
They (commercial and administrative area) are assigned a company team.
Developers, designers, analysts are normally allowed to work from their own personal computer but only to connect via vpn to the cloud.
Very few have asked the company to assign them a team for telecommuting.
We have a task that weekly downloads the backups of our main virtual servers and the virtual teams of the developers that are in the cloud to a storage server that is in our physical office.
Our servers are in a datacenter that has ISO 27001:2013 certification
In the physical office we have 4 servers but they are only for backup storage and for tests.
First is important to note that an ISMS scope can be defined in terms of processes, location, or information to be protected.
Considering that, and your stated scenario, you should define your ISMS scope either in terms of processes (development process, sales process, account process, etc.) or information to be protected (e.g., customer information, financial information, etc.).
By the way, included with your toolkit you have access to a video tutorial that can help you define your ISMS scope. This video contains examples.