Audit scope

We realise that we have common controls across our group as well as differences and our approach to implementation is to have a corporate control with localisations if required.

Will the auditing need to occur for each of our three companies or will the parent company only be audited? The answer to this question will have a bearing on whether the ISO implementation is separate in each company or we can share common controls.

Answer: The audit will have to be performed on all sites defined in your scope. Considering that, you have these options to consider:
- A single scope for all three companies. In this case all companies will have the same certification and will need to be audited during the same audit event.
- A scope for each company. In this case each company will have its own certificate and can be audited in a separated event.

A single certification means reduced cost, but increases the logistics complexity during the audit, as opposite to having a certification for each company.

Regarding common and specific controls, if you have a single scope this will not make difference in the audit event. As for adopting different scopes you will have to identify which company manages the corporate controls and include this information in the scope of the other companies, stating this situation as an relevant interface for these companies.