Expert Advice Community

Guest

27001 Certification for Multiple Companies / Geographic locations

  Quote
Guest
V Created:   Sep 09, 2022 Last commented:   Sep 16, 2022

27001 Certification for Multiple Companies / Geographic locations

I'm trying to write and implement an ISO 27001 compliant information security management system (ISMS) for the company I work for. Currently we have our HQ the UK (2 office locations plus a test site) and an additional office in Europe. Currently the goal is to have the ISMS applicable to the UK locations and the EU location is scoped out as a subsidary / third party providing services to the UK organisation. The EU office also manages the IT infrastructure of the UK office. I'm not sure the reason the EU is scoped separately but I believe it's to avoid complexity and expense. We share intellectual property and confidential information (just technical, generally no Personally Identificable Information) back and forth between the UK and EU offices and eventually plan to move to a shared cloud database managed by the UK but EU has access and contributes. How will ISMS work in this situation? Are subsidary and third parties considered the same under ISMS? Am I right in thinking that the UK and EU offices needs a contract in place defining the services provided (IT management, design work, etc), including the security requirements the EU office must follow to meet the 27001 standards of the UK office?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 14, 2022

1 - How will ISMS work in this situation?

Since you defined site A as the ISMS scope and site B is out of the scope, the ISMS will work for your organization by directly protecting the information in site A and by ensuring proper security controls are enforced on site B by means of contracts and/or service agreements.

2 - Are subsidiary and third parties considered the same under ISMS?

Yes, from the perspective of the part of the company that is included in the ISMS scope, the subsidiaries that are excluded from the ISMS scope have the same treatment as vendors, suppliers, etc. - they are all considered "third parties" because they are not included in the ISMS scope.

3 - Am I right in thinking that the offices need a contract in place defining the services provided (IT management, design work, etc.), including the security requirements the Site B office must follow to meet the 27001 standards of the Site A office?

Your assumption is correct. The establishment of contracts or service agreements is the best way to ensure responsibilities and security controls will be enforced between the parties.

For further information about the application of security clauses, see

Quote
0 1
Guest
V Sep 14, 2022

thanks for the reply, very helpful but I have some additional questions.

I'm struggling to get my head around how we can justify scoping out the IT Managment side of the Company. The IT Management side will have complete control of our IT systems and potentially uncontrolled access to our servers. If we establish contracts or service agreements, won't the security requirements be the majority (if not all) of Site A's ISMS? If so, what's the benefit of scoping them out?

Would considering Site A and Site B as one Company but Site B (still providing IT Management and Design services) scoped out of ISMS be an easier way to implement the ISMS? Site B will still implement the relevant ISMS policies but only Site A will be certified? I'm thinking this might save a somewhat complicated contract/service agreement and less controls to be audited.

Lastly, I understand that the Chief of Informtion Security type role is not mandatory under 27001 but it is beneficial to the process. Is it possible for someone from Site B to take this position for Site A despite being scoped as a third party?

Quote
0 0
Expert
Rhand Leal Sep 16, 2022

1 - I'm struggling to get my head around how we can justify scoping out the IT Management side of the Company. The IT Management side will have complete control of our IT systems and potentially uncontrolled access to our servers. If we establish contracts or service agreements, won't the security requirements be the majority (if not all) of Site A's ISMS? If so, what's the benefit of scoping them out?

Please note that security requirements defined for Site A can be also enforced on Site B by means of contracts/service agreements. The benefits of scoping out the IT management are related to decreasing the complexity of the scope and certification maintenance costs since you will have a smaller scope to manage.  

Regarding control of the IT infrastructure by Site B, it can be legally defined (through contract/service agreement) that any decision it makes needs approval from Headquarters to be implemented, so even though it has operational control, it will not have the decision power to implement changes without HQ consent.

Regarding the risk of uncontrolled access to your servers, controls such as encryption, logging, and monitoring of the user administrator’s activities can be used to decrease such risks.  

For further information, see:

  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

2 - Would considering Site A and Site B as one Company but Site B (still providing IT Management and Design services) scoped out of ISMS be an easier way to implement the ISMS? Site B will still implement the relevant ISMS policies but only Site A will be certified? I'm thinking this might save a somewhat complicated contract/service agreement and less controls to be audited.

The scenarios considering Site A and Site B as different companies, and both as the same company but with Site B scoped out of ISMS would be the same for an ISO 27001 certification, i.e., you would still need to develop an agreement between them, since they will have the same client-supplier relation.

In fact, this situation would be a bit more complex, because you would need to align first with the certification body the situation of having two legally different organizations considered as a single company.

3 - Lastly, I understand that the Chief of Information Security type role is not mandatory under 27001 but it is beneficial to the process. Is it possible for someone from Site B to take this position for Site A despite being scoped as a third party?

ISO 27001 does not prescribe that information security roles need to be fulfilled by an organization’s employee, so provided you can evidence that the related roles are defined and being fulfilled, you can “outsource” this position to someone from Site B.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 09, 2022

Sep 16, 2022

Suggested Topics