Thank you for offering assistance. We have started gathering interested parties and requirements.
We are struggling with the scope of this list.
For example, ISO9001 covers the “local community” as an interested party…. But I presume this is not applicable here because they have no interest in our ISMS and our ability to prevent a breach. If it is limited to people who have an interest in our ISMS and our ability to prevent a breach then it would be easier.
Our client may have concerns about our ability to keep the documentation and passwords that we possess on our systems safe from a breach.
But services we provide to them to keep them/their systems and data safe from a breach are not in scope I believe…? But we need to clarify that.
Any guidance you can offer would be greatly appreciated.