Hi. I have some questions with the ISMS scope.
The main company is based in Hong Kong. A subsidy is located in the Philippines. Some staff are hired in the Philippines to work for the main company in Hong Kong via remote work. They mostly have the same access to servers, network, applications and databases as the HK-based staff.
My questions are:
- Do we need to include the Philippine-based staff in the ISMS scope?
- Do we also need to include the Philippine office in the scope? The staff are remote-based but the employee/HR-based paper documents are stored/located in the Philippine office. Which means, physical protection (door lock, cabinet lock, cctv) need to be in place?