You can help me with the following questions
I would like to know what level of detail should be specified in the wording of the scope of the information security management system?
1. Should I write the exact listing of all the information assets covered?
2. Should I write the exact list of the information provided?
3. Should I write the exact list of applications / software covered?
4. Should I write the exact list of the physical offices covered?
5. Should I write the exact listing of the databases covered?
6. Should I write the exact list of websites / mobile applications covered?
7. If I want to include all the information assets of my organization is it sufficient to write: "The scope of the SGSI covers all the information assets of the Organization" or do I have to be explicit by detailing all the information assets?
8. Do I have virtual machines on Microsoft Azure that run critical applications, should I specify that the scope only covers the applications installed on these virtual machines that are on Microsoft Azure? or should I also include the virtual machines and their contents?
9. We currently have corporate mail with GOOGLE, is mail a critical asset in our organization, should I also include it in its scope if a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?
10. Currently we send our customers emails and massive newsletters that contain important business information, are these emails and newsletters sent through a provider's software, should I also include it in the scope of a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?