Scope definition

(1 - I hope you are very well, I write since the company where I am currently working wants to be certified in 27001, but just wants to certify a "product" which is electronic invoicing, I wanted to know if this is possible, since I have confusion at the time to delimit the scope of the ISMS and the information security policy, would the policy exclude the other processes and areas of the company?

Answer:

First it is important to note that ISO 27001 does not certify "products", o nly processes. So in your case the certification would be related to the electronic invoicing process.

Regarding scope definition, you can limit the scope to any size you want, and you can exclude processes, locations or business units you think should be left outside the scope.

2 - And, due to cost issues, it would also be less beneficial since it would increase when you want to certify the other processes of the company?)

Answer:

The smaller the scope, the smaller the certification costs will be, in fact including process you do not want to certify now, will increase the costs of certification (many certification bodies use the total of personnel involved in the scope to define required days for the certification, which directly impacts certification costs).

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/