ISMS scope - IT admins out of the scope?

1. We want to restrict the scope to one software support service only. There are about 100 employees working on this support service with customers. Could we define the Scope as a service?

 ISO 27001 ISMS scope can be defined in terms of locations, information, business units, of processes to be protected, so you can define a single software support service as your ISMS scope.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

2. There are 5 office locations. Should we name exact addresses or just cities?

 You need to identify the exact addresses of each office location from where the software support service is provided.

3. There are two servers in the cloud for the service, they are administered by our IT admins, so they are asset owners for them. The question is: can IT system administrators be not in the scope? Or should all the assets/asset owners be in the scope?

You can define the IT system administrators as out of scope, but you need to evaluate if this separation is worth the effort (since they administrate assets that are part of the service, you would need to treat them as an external supplier for your ISMS scope).

For further information, see:

• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/