Dear Dejan,
I am following you and Advisera for a couple of months and I really like the content you provide.
I am now in the process of preparing my first customer for ISO 27k certification, but the legal side of things with the certification is not quite clear to me.
Would please be so kind, and give me your professional opinion on this? Would also Conformio help me with the process in this case?
Let me give you a brief overview of the situation and you will know what I mean right away:
There is company A (consists of 15 people), based in EU, which develops software, provides support, makes proprietary hardware for the software they make etc.
Then there is company B (consists of 2 people), based outside EU, which owns the copyrights to this software, tells company A what to do, what to develop, and also is written on every contract when they sell this software.
Customer wants this software to be ISO 27k certified. Company B has no other legal connection with Company A, they are not like parent/daughter companies.
My question is, which company is going to be certified? Do they need to be both certified, separately?
Assign topic to the user
First is important to note that the software is not certifiable against ISO 27001. What can be certified are departments or whole companies.
You can certify either company A, or B, or both of them. Since this certification is driven by customer demand, it would be best to ask the customer which company would they prefer to be certified. If the customer does not have a preference, it would be more logical to go for company B.
Regarding Conformio, it can be used to implement and maintain your Information Security Management System, no matter if you choose to go with company A or B. It is designed to be used by smaller companies.
For further information, see:
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/
Comment as guest or Sign in
May 18, 2023