We are implementing ISMS for the web-service. It uses the web-portal where users can login and move on further to use our service (let‘s call it serviceA) in scope. But the same web-portal is also used for some other services (let‘s call them serviceB) which I don‘t want to be included in the scope. Different departments of the company work with those different services. So obviously I include the whole web-portal in the scope but I don‘t want to have the department which works with the serviceB and has nothing to do with the serviceA in scope.
How can I do it? Should I define this in the scope document as an exclusion or maybe I should not mention it at all (I mean that I will only mention a department which works with the serviceA in the „Organizational Units“ section)? I understand that I will have to assess the risks that the serviceB may cause and I will mitigate them with some policy (Acceptable Use, Access Control) and also some technical controls.
Also a similar situation could be like this: a department consists of 10 employe es. Only two of them work with the serviceA (which is in scope). Can I include only those two? And how to do that? What exactly should be defined in the „Exlusions from the scope“ section of the ISMS Scope Document? Is it something that we cannot control but it affects the security? What I want to emphasize by asking this is why should we define exclusions – maybe we do not need to exclude anything since it is not included in the scope?
You should only use the "Exclusions from the scope" section to explicitly define elements that are inside your statement of scope but you do not want the ISMS to handle them. If you can make this separation when defining the scope, there is no need to define exclusions.
A good example is your department scenario. You can define only the two roles that have access service A as part of the ISMS scope (in this case there are no exclusions), or you can define your department as a whole inside the ISMS scope and include the roles that do not need access service A as "Exclusions from the scope".
Considering your other scenario, if service B is completely unrelated to, or can be easily separated from, service A, there is no need to mention service B as "Exclusion from the scope". On the other hand, if service B is part of service A, then you should include service B on "Exclusions from the scope" so your ISMS does not need to manage it.
On both cases, to keep the document as simple as possible we suggest you to make the necessary separation when defining the scope.