Scope for a small company with outsourced infrastructure to mother company

Thus, we customer acquire the customer's, contact with them on own name but on behalf of our mother company. Data and customer information is saved in the databases and the portal which belongs to the other company. CRM system which we process is also not ours.

However, our management has initiated ISO 27001 certification for our service company. I have selected the scope for ISO 27001 certification a business process.

During the webinar you told me that it is very hard to get the certification if the business process will be certified.

Answer:

For a small company such as yours it is very difficult to lim it the scope of the implementation and certification to only one process - this is because once you define what is inside the ISMS scope, all other processes and activities that are left outside of the scope will be treated as external (third) parties. Therefore, for a company of 9 employees, the best would be to include your whole company in the ISMS scope.

See also this article: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

The fact that your company is not an owner of the equipment or services that you are providing doesn't change much - your company is responsible for the data because it is the contractual party with your clients. Therefore, you are responsible for safeguarding data even though this data is not placed on your servers. The fact that the processing is done by your mother company doesn't make much difference - the principle is the same as if you hosted this data on e.g. Amazon AWS, in other words you need to treat your mother company as a provider of services, i.e. as a third-party.