Advice on ISMS implementation for Group and subsidiary companies
Please I need some professional advice
A holding/group/mother company with other legal subsidiary companies want to implement ISMS for the group with the scope including the subsidiary companies.
The Group company and the subsidiary companies are all located at the same place
The same staff works for both the Group company and subsidiary company
They both share the same assets.
But the subsidiary companies offer different products and services
What do you suggest should be the best way to implement the ISMS towards achieving Certification?
Assign topic to the user
This scenario is not much different from a single organization with multiple departments attending specific and non-related target groups, and for such a scenario, a good approach is to implement the ISMS covering the whole units.
Regarding certification, adopting a single certificate for all units or separate ones for each unit is a business decision, depending on their objectives and strategies, but in general organizations like these adopt the model of one certification for each unit, because a change in a unit does not impact the certification of other units (of course, in tour case, the most critical certificate will be the one fro the mother company).
These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Comment as guest or Sign in
Oct 06, 2020