Tag: "scope expansion" - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Extension of scope by adding location where part of the controls are executed by our sister organization

    We want to add a subsidiary location to the scope of our ISMS. The risk picture is virtually identical, and they can therefore adopt the policies of our ISMS. The challenge is that their IT landscape is managed by our ISO 27001 certified sister organization. This means that, for example, incident management and patch management are performed by the sister, with deviating policies. Is it sufficient for expanding the certification to include exceptions in our policies by referring to the policies of our sister organisation and rely on their ISO 27001 certification? Or do we need to perform additional steps for succesfull certification?