I’m assuming that you are asking which company needs to implement ISO 27001 and get certified.
Considering that, the company that needs to implement ISO 27001 and get certified is the one which has a direct business relation to the customer.
For example, if the ecommerce company is directly selling the goods/services, then it is the one who needs to get certified.
On the other hand, if you make deals with the business owner (i.e., the other company only operationalizes the deal), then this is the one who needs to get certified. This way you do not need to verify if every business owner's suppliers that serve you are ISO 27001 certified.