Exclusions of the ISMS scope
If a unit in the organization (let us say HR) is excluded from the scope, there is a dependency between HR and other units (for example, HR is responsible for recruitment and training). Although HR is excluded from the scope, it still provides training for employees of other departments that are included in the scope. In this case, HR should be considered an external third-party provider to the other organizational units that are included in the scope, which means that HR should be controlled as a supplier.
What do you think?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
You are basically right - if the HR department is outside of the ISMS scope, from the ISMS point of view it will have the same status as a third-party provider; of course, legally speaking, your HR department is not a third-party provider, but a organizational unit of your company.
This article will provide you with further explanation about scope definition:
This tool can also help you:
Comment as guest or Sign in
Oct 21, 2023