My company would like to be ISO 27001 certified, so we have started a preliminary study and are now working on a draft ISMS scope in accordance with the standard (context of the company, interested parties, boundaries ...).
Several things remains unclear to me for which I would like to get some help for a better understanding of what has to be included or not into the scope and other potential consequences:
Locations: The unique company office location is in scope (small office), but should we also include the data center location where some assets are hosted? Note that this is not our own data center, but is outsourced (the company rents some racks to a local datacenter provider).
Out of scope: The company holds also shares in another company which is located within the same office/premises. We can consider "shared premises", because people from this other company can access the whole office (only access control is in place at the main entrance).
From a network point of view, the second company is isolated on a dedicated DMZ with no access to my company network (still have to be confirmed, they may use a shared printer at least).
My first assessment was to exclude the second company from the scope (including the dedicated DMZ), but after some more thinking it does not appear so easy to decide, since people can move everywhere within our office ...
- Is this something that will be raised through the risk analysis and treatment plan (conclusion will likely be to isolate physically this second company or to move it elsewhere)?
- What about the dedicated DMZ on a firewall in scope if it is out of scope (unsecure network)?