27001 Certification for Multiple Companies / Geographic locations
Assign topic to the user
1 - How will ISMS work in this situation?
Since you defined site A as the ISMS scope and site B is out of the scope, the ISMS will work for your organization by directly protecting the information in site A and by ensuring proper security controls are enforced on site B by means of contracts and/or service agreements.
2 - Are subsidiary and third parties considered the same under ISMS?
Yes, from the perspective of the part of the company that is included in the ISMS scope, the subsidiaries that are excluded from the ISMS scope have the same treatment as vendors, suppliers, etc. - they are all considered "third parties" because they are not included in the ISMS scope.
3 - Am I right in thinking that the offices need a contract in place defining the services provided (IT management, design work, etc.), including the security requirements the Site B office must follow to meet the 27001 standards of the Site A office?
Your assumption is correct. The establishment of contracts or service agreements is the best way to ensure responsibilities and security controls will be enforced between the parties.
For further information about the application of security clauses, see
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
thanks for the reply, very helpful but I have some additional questions.
I'm struggling to get my head around how we can justify scoping out the IT Managment side of the Company. The IT Management side will have complete control of our IT systems and potentially uncontrolled access to our servers. If we establish contracts or service agreements, won't the security requirements be the majority (if not all) of Site A's ISMS? If so, what's the benefit of scoping them out?
Would considering Site A and Site B as one Company but Site B (still providing IT Management and Design services) scoped out of ISMS be an easier way to implement the ISMS? Site B will still implement the relevant ISMS policies but only Site A will be certified? I'm thinking this might save a somewhat complicated contract/service agreement and less controls to be audited.
Lastly, I understand that the Chief of Informtion Security type role is not mandatory under 27001 but it is beneficial to the process. Is it possible for someone from Site B to take this position for Site A despite being scoped as a third party?
1 - I'm struggling to get my head around how we can justify scoping out the IT Management side of the Company. The IT Management side will have complete control of our IT systems and potentially uncontrolled access to our servers. If we establish contracts or service agreements, won't the security requirements be the majority (if not all) of Site A's ISMS? If so, what's the benefit of scoping them out?
Please note that security requirements defined for Site A can be also enforced on Site B by means of contracts/service agreements. The benefits of scoping out the IT management are related to decreasing the complexity of the scope and certification maintenance costs since you will have a smaller scope to manage.
Regarding control of the IT infrastructure by Site B, it can be legally defined (through contract/service agreement) that any decision it makes needs approval from Headquarters to be implemented, so even though it has operational control, it will not have the decision power to implement changes without HQ consent.
Regarding the risk of uncontrolled access to your servers, controls such as encryption, logging, and monitoring of the user administrator’s activities can be used to decrease such risks.
For further information, see:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
2 - Would considering Site A and Site B as one Company but Site B (still providing IT Management and Design services) scoped out of ISMS be an easier way to implement the ISMS? Site B will still implement the relevant ISMS policies but only Site A will be certified? I'm thinking this might save a somewhat complicated contract/service agreement and less controls to be audited.
The scenarios considering Site A and Site B as different companies, and both as the same company but with Site B scoped out of ISMS would be the same for an ISO 27001 certification, i.e., you would still need to develop an agreement between them, since they will have the same client-supplier relation.
In fact, this situation would be a bit more complex, because you would need to align first with the certification body the situation of having two legally different organizations considered as a single company.
3 - Lastly, I understand that the Chief of Information Security type role is not mandatory under 27001 but it is beneficial to the process. Is it possible for someone from Site B to take this position for Site A despite being scoped as a third party?
ISO 27001 does not prescribe that information security roles need to be fulfilled by an organization’s employee, so provided you can evidence that the related roles are defined and being fulfilled, you can “outsource” this position to someone from Site B.
Comment as guest or Sign in
Sep 16, 2022