Certification process of sister company
The majority of our finance, HR and other major departments are managed by our parent company, but our sister company wants to become ISO 27001 certified. How do we manage the certification process? Please note that we will require access to the HR and finance departments, for instance. Additionally, we are headquartered in site A and have a branch in site B, but we wish to obtain certification only for site A. How are we going to treat our employees in site B and under which category should we put this?
Assign topic to the user
If I understood correctly, the scenario involves a parent company X, at least two sister companies Y and A, and company A has a branch company B.
X (parent)
Y(sister) A(sister)
B(branch)
In this situation you should consider only Site A as the scope for the certification process, leaving the departments from the parent company, and the branch in site B, as third parties which interact with your certification scope.
This way your certification process will be restricted to Site A, and required security controls related to departments from the parent company, and related to the branch company, will be handled through security clauses in contracts and/or service agreements you will establish with them.
This article will provide you with further explanation about the certification process:
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
This material will also help you regarding the Information Security Management System scope definition:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
Comment as guest or Sign in
Sep 13, 2022