Extension of scope by adding location where part of the controls are executed by our sister organization
We want to add a subsidiary location to the scope of our ISMS. The risk picture is virtually identical, and they can therefore adopt the policies of our ISMS. The challenge is that their IT landscape is managed by our ISO 27001 certified sister organization. This means that, for example, incident management and patch management are performed by the sister, with deviating policies.
Is it sufficient for expanding the certification to include exceptions in our policies by referring to the policies of our sister organisation and rely on their ISO 27001 certification? Or do we need to perform additional steps for succesfull certification?