Clarification on ISO 27001:2022 certification
Good day. In the context of the current implementation of ISO 27001:2022, and towards certification, I ask if guidance may please provided, regarding the following: We are a company of around 60 employees. We are working towards implementing the standard throughout the company; and risk assessment has been done accordingly. We have come across a doubt, however. While our line of business includes manufacturing and also services providing, we also plan to offer a cloud-based platform, accessible to customers via access credentials, where they can access information related to the equipment/services we provide.
1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.
2 - If they were to be separate, how would this even be managed in Conformio?
Assign topic to the user
1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.
Due to the size of your company (around 60 employees), unless you have specific requirements for this cloud-based platform to have its own certification (e.g., a law or contract with a customer), the best approach is to consider a single implementation covering all the organization, because, for companies of this size, the effort to separate what is included in the ISMS scope from what is not included is not worthy.
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
2 - If they were to be separate, how would this even be managed in Conformio?
In case you have a need for the platform to be in a separate implementation/certification, you can create two regular Conformio accounts (one for each instance you want to certify) and do a separate certification for both. As separated accounts, it is not possible to share documents or data to manage both implementations in an integrated form.
Comment as guest or Sign in
Jan 12, 2023