Take the ISO 27001 course exam and get the
EU GDPR course exam for free
LIMITED-TIME OFFER – ENDS SEPTEMBER 29, 2022

Expert Advice Community

Guest

Extension of scope by adding location where part of the controls are executed by our sister organization

  Quote
Guest
erik hoorn Created:   Apr 13, 2022 Last commented:   Apr 15, 2022

Extension of scope by adding location where part of the controls are executed by our sister organization

We want to add a subsidiary location to the scope of our ISMS. The risk picture is virtually identical, and they can therefore adopt the policies of our ISMS. The challenge is that their IT landscape is managed by our ISO 27001 certified sister organization. This means that, for example, incident management and patch management are performed by the sister, with deviating policies. Is it sufficient for expanding the certification to include exceptions in our policies by referring to the policies of our sister organisation and rely on their ISO 27001 certification? Or do we need to perform additional steps for succesfull certification?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 15, 2022

In this situation, it would be better to consider the management of the IT landscape in this subsidiary as an outsourced service.

In this situation, the risks related to deviating policies would be treated according to ISO 27001 section A.15 of Annex A - Supplier relationships (i.e., by means of contracts or service agreements). This way you would not need to change your current documents (required adjustments would be defined as clauses in the contract or service agreement).

This article will provide you with a further explanation of supplier security:

- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 13, 2022

Apr 15, 2022

Suggested Topics

Guest user Created:   11h ago ISO 27001 & 22301
Replies: 1
0 0

Scope definition

Tonya Created:   Sep 27, 2022 ISO 27001 & 22301
Replies: 0
0 0

Compliance Manager

Guest user Created:   Sep 23, 2022 ISO 27001 & 22301
Replies: 1
0 0

27001 audits