Certification in multiple geographic locations

Answer:

First of all, implementing a certification in multiple geographic locations is a complex task and you should go for it only if it is really necessary for business strategies and objectives. Instead you should consider the prioritization of locations and implementing the certification one location at a time.

Regarding project steps to become certified, they are practically the same for single and multiple locations. Broadly speaking, to implement ISO 27001 an organization has to:
- Obtain top management support
- Define and document a scope based on the needs and expectations of interested parties relevant to information security. At this point, for a multiple location project, you have to identify common needs and handle conflicting issues regarding the multiple locations (e.g. conflicting laws and regulations).
- Define, document and communicate an information security policy and responsibi lities relevant to operation and management of information security. For a multiple location project you should consider an organization wide-policy defining common requirements and defining that local issues are to be considered for specific topics (e.g., common issue may be top management commitment to ISMS, and a specific issue are the definition of security objectives for each location.
- Define a risk assessment and treatment methodology
- Define and allocate competencies and resources for the operation and management of information security
- Implement risk assessment and risk treatment
- Operate the security controls and generate the necessary records. This another point where implementation can differ according the location
- Measure, monitor and evaluate the information security performance
- Implement corrections and improvements

Regarding support required, to increase chances of success, it is important that persons involved have experience in project management and knowledge of the standard, and that you consider hiring expert legal advise to map legal requirements and handle conflicting issues.
A last, but not least, the point is that you have to consider a certification body that can cover all locations you wish to include in your certification.

These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/