Scope and asset definition

1. May we/should we exclude third-party cloud providers (document management, e-mail, and time and billing)? [Note: Most have their own ISO 27001 certifications—may we or should we reference these in our documentation, or would that only confuse things?]

Answer: By the scenario you described, you do not need to include the third-party cloud providers in your scope. The main point to consider here is how much direct control your firm has over the applications and databases hosted on the outsourced IT services. If you can manage the applications (e.g., create and manage user accounts, change configurations, etc.), you should include the applications in your scope. If all t his management work is performed by the provider you have to include only the databases in your ISMS scope (e.g., email database, documentation database, time and billing database).

2. Should we include our IT service provider? If so, how deeply must we delve into their systems? [They provide similar services to many companies, and have visibility into our system for maintenance and troubleshooting.]

Answer: As explained in the first answer, you do not have to include your IT service provider in the scope.

This article will provide you further explanation about Scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

3 - A related question pertains to the distinction between a company and its software. For example, Microsoft as a company may be subject to threats such as breach of contractual relations or equipment failure. At the same time, its software (in this case Office 365) may have its own threats and vulnerabilities, such as application errors, inadequate patching, etc. Should these be combined in the risk assessment table as a single reference to Microsoft with all related threats and vulnerabilities, or should it be broken out as third-party provider and software? (Assuming, of course, that they are included at all consistent with our questions above.)

Answer: Considering your example, if your relationship with Microsoft is limited to the use of Office 365, then the "Office 365" is the asset to be assessed, and all identified risks should be associated to it. However, if besides Office 365 you also use other Microsoft products or services (e.g., onedrive, skype, windows, etc.) then an additional asset, called for example as "Software Provider - Microsoft", also should be considered for assessment, because now you also have to consider risks in terms of all Microsoft products and services you use, not only the risk for specific ones, and this can be better handled if they are concentrated in a single asset.