Questions about Scope of my ISMS ISO 27001:2013

1. Should I write the exact listing of all the information assets covered?

2. Should I write the exact list of the information provided?

3. Should I write the exact list of applications / software covered?

4. Should I write the exact list of the physical offices covered?

5. Should I write the exact listing of the databases covered?

6. Should I write the exact list of websites / mobile applications covered?

7. If I want to include all the information assets of my organization is it sufficient to write: "The scope of the SGSI covers all the information assets of the Organization" or do I have to be explicit by detailing all the information assets?

This answer applies to questions 1 to 7.

The ISMS scope is normally defined in terms of general information (e.g., business information, customer information, R&D information, etc.), processes (SW development process, customer support process, sales process, etc.) or location (e.g., headquarters, an office, a building, etc.) to be protected, so you do not need to include assets in the definition of the ISMS scope.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

8. Do I have virtual machines on Microsoft Azure that run critical applications, should I specify that the scope only covers the applications installed on these virtual machines that are on Microsoft Azure? or should I also include the virtual machines and their contents?

When dealing with cloud services, you need to include in the ISMS only the elements you are responsible for. The other elements can be left out of the scope.

In this case, if you control the virtual machines (i.e., their maintenance and operation), then you need to include them in the ISMS. In case not, you only need to include the applications in the ISMS scope.

For further information, see:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

9. We currently have corporate mail with GOOGLE, is mail a critical asset in our organization, should I also include it in its scope if a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

In this case, since GOOGLE provides email as a service, you need to include in the ISMS scope only the email data.

10. Currently we send our customers emails and massive newsletters that contain important business information, are these emails and newsletters sent through a provider's software, should I also include it in the scope of a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

In the ISMS scope, you need to include the reference to the data, and mention that related services are provided by third parties.