We are an advertising company with many own entities (we call them agency). Some of them reside in the head office where we provide shared services to them (IT, HR, Finance) and some reside in their own buildings but still use our shared services.
Usually, our clients send us a questionnaire before signing a contract to ensure how we process, store and remove their data upon their request. This process has become overwhelming for us and the management has decided to implement ISO 27001 for the company as it addresses all our clients concerns as well as an extra assurance for our own information security.
Our initial thought is to get certified for the head office and only include our shared services in the scope and other businesses apply for their own certificate later by appointing us as their supplier and SLAs in place, however it may not be a good approach as some of our businesses residing in other buildings have more urgency to get certified.
If we apply for the head office, we are talking about 1300 employees and xyz sites in xyz cities, while nationwide we have 2000 employees and xyz sites. Speaking of sites, there's another concern for us as our backup every night replicates our data to other cities offices, so I assume even if we define the scope for the head office still our data is in other sites will not address clients’ concerns.
It would be great to have your input on the following questions:
• What would be the best approach for us to get certified for ISO 27001? Self-implement, consultant?
• Is the initial defined scope practical in your expert opinion?
• Are your templates and services applicable to our company as it's designed for small and medium corporate?