A foreign company branch needs to get certified. the branch assets mostly controlled by oversees company. even some servers and routers controlled by hq IT department. they need to get 27001. main company has isms but branch semi controlled semi independent.
how is the documentation should be? should we get the main company documentation into branch docs too?
I am seriously confused :)
I hope you guy can guide me out.
Thanks for everyone for their interest
In this case you have to set the scope of your ISMS very precisely. You have basically 2 options:
a) Broaden the scope of your main company ISMS to include the branch office as well, or
b) Implement a separate ISMS in your branch only.
It seems to me that option a) would be better, because this would mean that the existing documentation will be valid not only for the main office, but also for your branch.
If you choose the option b), your branch office will have to treat everything that is outside of the scope as external party - this means that in this context your main office would also be an external party, with which you would have to define a clear boundary and make agreements for SLA, security, etc. Further, in this case the branch would have to write its own documentation.