Scope definition considering suppliers

Question refers to this article: Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Answer: Outsourced providers, either of services or infrastructure, generally can be excluded of an organization's ISMS scope, because such providers are not under control of the organization, but it should be mentioned in the scope statement that the scope (critical application, information and database) is operated and maintained by external providers, so it becomes clear that they must be considered in the organization's risk assessment to identify applicable controls, those from sec tion A.15 as you mentioned.

You should also note that parts of an cloud service provider which are under the control of the company can be included in the scope (e.g., when the cloud provider provides applications but the user management is performed by the customer organization).

Regarding development and maintenance, they are part of the life cycle of any application, so if the organization performs these processes they cannot be excluded, since the scope covers critical application. If the development and maintenance is performed by a provider then they also should be mentioned in the scope like in the previous answer, and considered in the risk assessment as a supplier related risk that should be treated if the risks are considered unacceptable.

We received this question:

>"If the client is allow to exclude the service provider or outsourcer from the scope since they do not have control over them, can they put a justification as such in the SOA to exclude the A15 control? The only concern we seen on some client, they will overlook the security matter related to services provider/outsourcer as to their understanding it has been excluded from the scope. How could we address such misunderstanding?

Answer: Only because suppliers are excluded from the ISMS scope it doesn't mean controls from Annex A can be excluded from the SoA based on that. The scope definition and SoA elaboration are different processes that do not have this relationship.

Considering that, a control can only be excluded from SoA if:
- There are no law, contract or similar legal requirement demanding the control to be implemented, and
- There are no unacceptable risks related to the outsourced service identified on risk assessments, or the organization consciously accepted the risks identified as unacceptable

So, the fact that service providers or outsources are excluded from the ISMS scope is not the reason enough to justify excluding controls from section A.15. An organization has to evaluate first the legal requirements involved and the risks associated to the outsourced service.

To handle this kind of misunderstanding, you can ask your clients this question: If you would consider security controls if you were running the service yourself, why do not require the same commitment from your suppliers?