Scope definition

Currently we are freight information services organization. Our clients are freight companies. We manage their information i.e. passwords, emails, application data however, each freight company (clients) also have their own policies they adhere too for example they have their own website and use of mobile which information is stored according to their needs. We do not manage these.

Do they need to complete their own ISO 27001 audit or are they covered under us or do we exclude them in the scope? Any guidance will be appreciated.

Answer: Your scope definition should include the information that is under you responsibility, and the infrastructure you manage. So information your customers keep on websites or mobile devices you do not manage should not be included in your ISMS scope.

Therefore your customers should not be included in your audit scope, and they can (if they want) go for their own ISO 27001 certification, but this is not mandatory.

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

There is no need to include the customers as an exception in the audit scope. The fact that your customers may require the results of your internal or certification audit to complete their own audits (e.g., if their auditor is auditing their supplier management process) is not reason for you to include them in the scope of your audits either as an exception. The proper document to ensure customers access rights over your audit results is the contract or service agreement you signed with them.

These articles will give you an idea on how customers may handle the audit of their suppliers according ISO 27001:
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/