Scope definition

Answer: Since you scope is limited to IT only, you should consider workstation assets (e.g., desktops, notebooks, printers, faxes, etc.), network assets (firewalls, switches, communication links, etc.), application software and datacenter assets (e.g., servers, databases, etc.), mentioning that the datacenter is outsourced (this information is important because you have to consider the provider during the risk assessment). You also have to inform the location of the branches of the business that are part of the scope.

Additionally, you would need to include in the scope the applications and virtual servers from your outsourced data center if you control these assets.

By the way, included in the toolkit you bought you have access to a video tutorial that can help you document your ISMS scope.

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Regarding the video tutorials, please check the "Repository" at the top left corner of your screen in Conformio. From there you can find the subfolder "Video Tutorials". Consult this screenshot as a reference: https://www.screencast.com/t/T5rLxMgc3UJz

Since your scope is limited to IT, you should include in the scope only the IT personnel, but it is important that you state in your scope who is responsible for the information security regarding employees that have access to IT systems and resources in each branch (e.g., someone in headquarters or the head of each branch). To see more information about this issue, please read the section Interfaces and dependencies from the article "How to define the ISMS scope" (https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/) that was also included in the previous post.

You can exclude elements from the scope (e.g fax or printers) only if they are not related to the information your ISMS is propose d to protect. For example, fax or printers located on branches that cannot be used to sent or print information related to the systems in your ISMS scope can be excluded from the scope.