In this particular case, the suggestion would be to set the ISMS scope in the following way:
- Remote employees are typically included in the scope; however, their home offices are excluded from the scope because you cannot control those home offices.
- Your sister company should be excluded from the scope because this is another legal entity; however, the elements of the cloud that you control (e.g., virtual servers, software, and data) should be included in the scope.
- If you are a large company, set the scope only for your main office or all offices within your country - you can expand the scope to other countries later on, once you learn how to implement ISMS.
- If you are a small company of less than 50 employees, set the scope for all of your offices, including the offices out of the country.