Questions about Stage 1, and Scope

In case the total of employees in your company is less than 50, you should consider go with your original scope, because the effort to keep the minor scope separated from the rest of the organization wouldn’t be worthy.

In case your company has more than 50 employees, or you do not have a customer that requires your defined scope, then you should consider the narrow scope, because this will mean less resources and effort to maintain the ISMS.

Hello Rhand,

It is the certification body who is insisting that if we want to include development in the scope, and the relevant SoA controls, then all the developpers must be included. In our opinion not all the developpers are relevant for the ISMS.  What can we argue against that vision? 

You mention to reduce the scope. We dont have a specific requirement from our customers regarding the scope or the development department, but we think that since we develop software it should be included. Why do you think that doesnt matter and that it is ok to reduce the scope?

Other questions, does really this little wording means so much in terms of who should be included in the scope?

 "The information systems that support " vs  "The operation of information systems that support"

Thank you very much for your help

1 - It is the certification body who is insisting that if we want to include development in the scope, and the relevant SoA controls, then all the developpers must be included. In our opinion not all the developpers are relevant for the ISMS.  What can we argue against that vision? 

Please note that if all developers have access to the information you want to protect, then all developers need to be included in the scope (the point is not if they are relevant or not, but which information they can access). In case you can evidence that the developers you do not want to include in the scope cannot access the information you want to protect, then you do not need to include these developers in the ISMS scope.

2 - You mention to reduce the scope. We dont have a specific requirement from our customers regarding the scope or the development department, but we think that since we develop software it should be included. Why do you think that doesnt matter and that it is ok to reduce the scope?

Please note that it is not a question if we consider if it matters or not to keep the development in the scope (this decision is up to the organization according to its objectives and strategies). The situation is that the certification body is suggesting you make some adjustments, and we just provide informed alternatives for you to make a decision.

In our point of view, if you want to keep the development process in the scope, you need to make the adjustments suggested by the certification body (more details about the rationale are in the answer to question 1). If you understand the adjustments are not necessary, you need to reduce the ISMS scope, so these points are not questioned by the certification body anymore.

Please note that you can keep the information security practices for development regardless they are in the certification scope or not. Maybe after some time, you have more data to decide to include it in the scope.

3 - Other questions, does really this little wording means so much in terms of who should be included in the scope?

"The information systems that support" vs "The operation of information systems that support"

Please note that when you refer to "The information systems that support", all personnel who interacts with the information systems needs to be included in the scope (e.g., IT personnel, users, customers, etc.).

When you refer to "The operation of information systems that support", you limit the personnel who interacts with the information systems to the people who keep them running, i.e., the IT staff.