Small questions about the implications of the scope of the ISO27001

# section 1

What does the term "users" refer to? All the parties under the scope of the certification, or only the persons who need to maintain and make decisions related to these documents?

The term “users” refers to all persons that need to use, consult or follow the rules and activities defined in the document.

# section 3.4

If we keep the employees' laptops (provided by the company) within the scope of the certification, will this imply some restrictions as to what the employees can do or install on their company's laptop?

Please note that assets (such as the laptops provided by the company) included in the ISMS scope need to be protected, so, depending on the assessed risks and applicable legal requirements, some restrictions may be applicable to the laptops.

If we do exclude students from the scope, does it imply that they will have a restricted access to the company's data?

There are two approaches to temporary workers that you exclude from the scope: (a) that you do not give them access to sensitive data (this is a preferred option for students), or (b) that you specify security clauses in their employment agreements (this is a preferred option for specialists - e.g., external auditors, accountants, lawyers, etc.).