ISMS implementation

1. Processes and services. Should I write about each service and each process specifically as part of the whole business model. Example : Managed Service Provider Service and all its processes Software Development Service and all its processes Software Support Service and all its processes Cloud Infrastructure Consulting Service and all its processes OR May I just put something more general that points to the idea that all the organizational business and processes are in the scope. A broader definition might be open to interpretation, but we really want the whole organization to be covered by the security benefits of having an ISMS in place. Example : Every service and process that is a part of the organization and its business is included in the scope.

Since your whole organization is part of the ISMS scope, you can use a text identifying your core business and including business management and supporting processes. Something like: Software development processes and their related supporting processes, and business administrative processes.

2. Organizational units May I just get away with putting down that the whole organization and all organizational units are included in the scope. Do I need to define organizational units if I am not going to leave any of them out of the scope ? Would an auditor be OK with that definition and would he/she understand that the whole organization is covered by the ISMS ? The problem is that the organization is fairly fluid and ever-moving and changing in regards to units and departments. This doesn't mean that people that are responsible for certain things are not appointed. Everything is logged, double checked and audited, but it would be a bit difficult to channelize every organizational aspect into a department or a unit.

Since your whole organization is part of the ISMS scope, then you can only state that the whole organization is in the scope.

3. Network and IT infrastructure This one seems really tricky for me. A lot of our IT infrastructure is ever-changing so to speak of - networks, devices, services are constantly added, removed, migrated, changed. If I need to list every piece of IT infrastructure and network that would be an Inventory of Assets of its own. So the question is - when I've actually done the work to mark every piece of data in the Inventory of Assets do I need to relist everything under the "Networks and IT infrastructure" as well ? May I just put in something showing the general concept of ISMS coverage ( i.e everything ). Would a definition like "All networks and IT infrastructure that are located in the ( and here I would just specify the location )" is a part of the scope. Our IT infrastructure is only in one physical location and also the cloud. We are using the IaaS model and sometimes PaaS as a model. In this regard I would list those in the supplier policies and not in the scope.

Considering your context, the proper definition here is the one you thought “All networks and IT infrastructure that are located in the <location>”.

This article will provide you a further explanation about defining scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

This material can also help with defining scope:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/