I'm in the process of defining the scope definition according to ISO 27001 for a company whose core business process is based on the analysis of data. The IT infrastructure is entirely based on the cloud (PaaS) and the company has dedicated physical location. This is a small size organization (20+ people) and work remotely by connecting to the cloud. the cloud is not public and it is for our holding company. also holding provide human resource for our company.
Organizational scope: Developer, Operation, supporting team
information and technologies scope: only technical services that used in cloud and did not refer to OS, VM, physical sever ,...
Physical Scope: Only scope of related to our company
For organizations with up to 50 employees, the best approach is to include all the organizations in the ISMS scope, because in this situation in the majority of cases the effort to separate elements in the scope from those out of it is not worthy.
When the organization uses a third-party Platform-as-a-Service, the data and all application software should be included in the ISMS scope, while everything else is out, including all system software.
These articles will provide you a further explanation about scope definition: