How would I audit a large company who holds their ISMS processes at their head office but have 120 sub sites who mainly only supply construction work for the company. Head office is in *** and about 60 sub sites in ***. My point is, as far as the ISMS is concerned it is operated from the Head office who hold all the clients’ data.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I’m assuming that:
- the ISMS scope covers only the company’s head office and the sub-sites only interact with the ISMS scope (they are not part of it)
- you are referring to an internal audit, not to a certification audit.
Considering that, when the scope is only the head office, you do not need to audit the sub-sites.
In this case, the sub-sites can be audited as part of the supplier monitoring process, which is a completely separated process.
At most, during the audit of the head office, you can ask for the audit reports from the sub-sites, to check if audits were performed and if treatment of raised non-conformities is being followed up, but you do not need to enter in further detail.
This article will provide you with further explanation about auditing:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit
These materials will also help you regarding auditing:
Comment as guest or Sign in
Sep 23, 2022