Questions about scope

Answer: First it is important to note that the objective of ISO 27001 is to protect information, so the main question is to identify which information you want to protect. Where this information is, is a secondary question.

Considering that, if your scope is the information stored and processed in the datacenter, and the information used by WHMCS is not stored in, or processed by, the datacenter, then you do not have to ensure its confidentiality, integrity and availability. Please note that there is a difference between where a system is used (e.g., by WHMCS operators in the main office) and where are the data used by the system(e.g., in the datacenter, or other place different from the main office).

2. Since we do have to limit access to the assets in the datacenter, is it enough that we cannot access them physically (since they are in another physical protected location) ?

Answer: You also have to consider the risks related to remote access (e.g., admin administrators remotely accessing services for maintenance, or users and systems remotely accessing the data). If an unauthorized user has remote access to servers or data he can make almost as damage as if he had physical access to assets.

3. You agreed on the fact that laptops do not "have to" be encrypted in case that the datacenter is the only location which is included. Does this mean that we also do not have to document these in the 'Inventory of assets'?

Answer: If no laptop is used inside the datacenter (e.g., some datacenter configurations rely on laptops as central maintenance hub, so you do not have to access servers individually, and these may need to be taken of for maintenance or other purpose), nor none of them have access to information inside the datacenter (by means of remote access as described in answer 2), then there is no need to include them in an 'Inventory of assets'.

4. We have the CTO, Technical Director and 2 Support Engineers who are doing the webhosting services. However the other two owners of the company besides the CTO do have access to some of the systems (just because they are the owners of the company). They do only have access to the WHMCS tool (which is being used for support tickets and sales), so they cannot take servers down or such. Is it relevant to keep these in mind if we are limiting our scope to the datacenter?

Answer: As mentioned in answer 1, if information handled by the WHMCS is inside the datancenter, then you have to consider these two owners when planning the security of your scope. For example, if their access to WHMCS is not ready only, if their accounts are compromised, an attacker can use them to delete, or tamper with, sensitive data.

5. Customer data that is involved in sales and for business purposes (such as name, address, etc..) is this something that we have to keep in mind (as for controls A.13.2.1. A.13.2.2, A.13.2.3 as an example) if we are only including the datacenter in the scope?
Answer: Please consider where this information is stored or processed. If it is stored or processed in the datacenter then you have to consider them when planning the security of your scope.

6. (This last question is not directly related to the scope) Records of log reviews: In a webhosting company which is doing customer support on a daily basis 8 hours per day minimum this is not achievable, it would cause too much disruptions to the business. We are reviewing logs for (nearly) each customer that has a problem.

Answer: First it is important to note that ISO 27001 does not prescribe how to perform log review, so you can perform it every time you have an entry, generating a review record for each entry, or you can define a verification period, when you verify all entries made during that period, generating only a single review record covering all entries reviewed. If this control is applicable to your organization, then you should consider if this second option can be implemented for your business. If this is not possible, maybe the cost of the control is higher then the impact if the risk occurs, and the organization should accept the related risks.

6. I'm aware that the scope is the primary document that I have to fill in, but the problem is that each expert that I talk to (I also speak with experts outside Advisera) are telling me something different, it is very hard for me as a student to sort this out in that case. I have to sort this out in the upcoming week, since there is a pre-audit on Friday.

Answer: Information is primarily built upon understanding of the organizational context and perceived risks, and since we and other experts have not the same point of view, experience, and knowledge of your business, it is natural that divergences will arise. That's why it is important for the person responsible for the implementation to have some understanding of basic concepts of information security (and for that we always suggest users our ISO 27001 foundations course - https://advisera.com/training/iso-27001-foundations-course/), so this person can filter and adjust the answers provided by the experts considering his view of the business. This way, each time he interacts with the experts he can better guide them to provide answers to help him.