Setting the scope of ISO 27k certification

ISMS is called a system because it contains several related processes and IT systems; but you are right, it could be confusing. Perhaps you can call your ISMS simply "information security management", just as you probably say "financial management" for y our financial activities.

This leads me to a perhaps larger question that I should know already. When we get ISO 27K certification, is the certification for the company or for one (or more) of our data processing systems? Should we be building the ISMS enterprise wide or are the policies, procedures, etc. that we are assembling specific to our e-commerce application? I think it is the latter, otherwise what would be the purpose of the ISMS scope?

The certification body will certify your ISMS within the scope you specify. You can set your ISMS scope for your whole company, for one or several departments, for a process, or for an IT system. I really wouldn't recommend setting the scope for a process or for a system because that is extremely hard to achieve - it is much easier to set the scope for the whole company, or based on departments. This article may help you: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Once you set the scope, policies and procedures must not apply only to your IT systems, because you have to cover also other controls from Annex A - human resources management, supplier management, legal controls, etc.