We are using Google Cloud Services for all infrastructure and use other SaaS providers for e.g. identification services and financial status information on customers to the banks.
Right now I'm working with the ISMS scope document and struggles a bit with the boundary of the scope.
I assume Google IaaS should be outside scope as well as the SaaS services we use.
This is not as clear as the example used in your doc. (private laptops and phones).
Any guidance on best practices on ISMS Scope in our case would be greatly appreciated before taking the next step for us.
(we would include the full company in the scope since we are very small)
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
You should include in the scope all assets you control directly - i.e. you would include data for SaaS, or data and application software for IaaS.
You'll find a more detailed explanation here: Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Comment as guest or Sign in
Jan 24, 2020