Hope all is well. In my ISMS Scope doc, I specifically included my company’s two processes and services:
Managed Application Services (MAS) that help customers manage and host specific applications
Software as a service (SaaS) that provide cloud-based software solution for customers
The CS, TD and DTS are the three technology divisions providing the MAS and SaaS services therefore they are considered as the parties to implement and maintain ISMS.
Our Sales and Marketing Divisions are considered as the users, but they are, implicitly, responsible for following the ISMS policies and procedures, as users.
Can we exclude Sales and Marketing from the ISMS scope? Please advise.