If an organization is having its physical data center at another location with a private hosting group. In this case, do the controls for physical perimeter security and data center security would come into play? kindly share the justification as well.
If you have outsourced your IT infrastructure to an external provider (external data center providing hosting services), you cannot manage controls related to their physical perimeter, so in this case you must identify all risks related to their service and include security clauses in the agreement with that provider. However, you can control assets that you directly manage: data, applications, virtual servers, etc. so there you will apply appropriate security controls.
So, basically all IT infrastructure provided by an external company (physical servers, etc.) should be out of the scope of your ISMS, and all assets that you can manage (virtual servers, web servers, applications, etc) should be included in the scope.
And also this one “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/ 27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/