Certification scope
As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:
- Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?
- Also do we have to pass an audit to certify both entities or only the regulated body is enough?
In addition to that, the situation now is slightly changed as we have another regulated entity in Site C and I need this to be added in the answer. I need clarification on how to action as we have now in total 3 companies under Company:
Company A - the Site B company that is providing services for the rest of the companies
Company B - the Site A-regulated company
Company C - the Site C-regulated company
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Regarding certification, you should consult your customers and regulators' requirements (i.e., contracts, laws, and regulations) to identify if they demand all sites to be certified or only specific sites. Based on these requirements, you can define which entities need to be certified. For example, if your customers' contracts only require Site A to be certified, and regulators do not demand certification, then certifying only Site A would be enough.
Regarding setup, documents, actions, and other elements related to the ISMS, those that are similar can be shared between entities (e.g., document and record control, internal audit, management review, etc.), while those with specific requirements may require separate implementation (e.g., disaster recovery plans).
Comment as guest or Sign in
Oct 06, 2023