Limiting the scope

I wanna ask you one simple question. I will start a new ISO 27001 implementation in a large manufacturer.

This is a company having entities in other countries. They have already had ISO 27K certification for other countries but their scope is restricted only for few business units like R&D, Design, Service and Assembly Line.

I read yr article about defining the scope.

My question: If I don't take other departments (like HR, IT, Facilities, etc) in the scope, would these departments be external parties to these other units (that is, R&D, Design, Service and Assembly Line) in scope ? So, for each data interaction, would they need to do risk assessment with other departments of the company ? I think this will make it difficult to happen. Am I wrong ?

What do you suggest ?

Answer:
Basically these units (HR, IT, facilities, etc) should be treated in the same way as an external provider (which is providing internal services). So, the organization should perform the risk assessment of HR, IT and facilities units to identify if there are risks for the information for which R&D, Design, Service and Assembly are responsible. By the way, in this case is also very important to sign terms and conditions for the services provided.

Finally, generally the recommendation is try to extend the scope to the whole organization, and if it is not possible, try to set the scope in organizational units which are sufficiently independent. Maybe this article can be interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

And maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/