ISMS scope definition

Do you have an example for this? Or do you know a question I could answer the top management to answer this part of this document?

Answer: An ISMS scope is defined in terms of information, location, organizational units and/or processes to be protected. So, once these are defined the identification of networks and infrastructure that belong to the ISMS scope is straightforward (any network and infrastructure involved with one of these elements should be included in the ISMS scope).

For example, if you define the scope in terms of location or organizational units, you should verify with the IT staff which networks and infrastructure are related to that location and include them in the ISMS scope. Generally networks are defined in terms of segments (e.g., administrative network, development network, int ernal network, etc.), and infrastructures are defined in terms of the most relevant assets (e.g., database server, border firewall, etc.).

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

All clear to me. I was thinking too hard, I think. Another question. The scope of the ISMS in our case is our whole organisation (

For such small number of employees (specially if you are in a single location) probably the best course of action is to include all networks and infrastructure in the scope.

Regarding the scope statement, you can have a text like "every network and all infrastructures belong to the scope", but you have to ensure you have a separated document (like a network diagram) that identifies all elements that are part of your network, so when you start your risk assessment you know which elements you have to evaluate.

Thank you so much for this clear explanation!