Extension of scope by adding location where part of the controls are executed by our sister organization
Assign topic to the user
In this situation, it would be better to consider the management of the IT landscape in this subsidiary as an outsourced service.
In this situation, the risks related to deviating policies would be treated according to ISO 27001 section A.15 of Annex A - Supplier relationships (i.e., by means of contracts or service agreements). This way you would not need to change your current documents (required adjustments would be defined as clauses in the contract or service agreement).
This article will provide you with a further explanation of supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Apr 15, 2022