I am following you and Advisera for a couple of months and I really like the content you provide.
I am now in the process of preparing my first customer for ISO 27k certification, but the legal side of things with the certification is not quite clear to me.
Would please be so kind, and give me your professional opinion on this? Would also Conformio help me with the process in this case?
Let me give you a brief overview of the situation and you will know what I mean right away:
There is company A (consists of 15 people), based in EU, which develops software, provides support, makes proprietary hardware for the software they make etc.
Then there is company B (consists of 2 people), based outside EU, which owns the copyrights to this software, tells company A what to do, what to develop, and also is written on every contract when they sell this software.
Customer wants this software to be ISO 27k certified. Company B has no other legal connection with Company A, they are not like parent/daughter companies.
My question is, which company is going to be certified? Do they need to be both certified, separately?