User
How to set the ISMS scope if we have some offices out of the country, some employees are working remotely, and cloud services are provided by our sister company?
Experta
In this particular case, the suggestion would be to set the ISMS scope in the following way:
- Remote employees are typically included in the scope; however, their home offices are excluded from the scope because you cannot control those home offices.
- Your sister company should be excluded from the scope because this is another legal entity; however, the elements of the cloud that you control (e.g., virtual servers, software, and data) should be included in the scope.
- If you are a large company, set the scope only for your main office or all offices within your country - you can expand the scope to other countries later on, once you learn how to implement ISMS.
- If you are a small company of less than 50 employees, set the scope for all of your offices, including the offices out of the country.