Guest user Created: Feb 14, 2022 Last commented: Feb 14, 2022

Question ISO 27001 implementation

I follow Advisera articles and Foundation Course now to learn about the implementation of ISO 27001. Thanks to all for this sharing. I want to ask you something if you could answer I will be pleased. I started to make an internship in a company and I research the steps of implementation ISO27001. This company is a small company and it's a sister company of another company. Bigger company and this company work in the same buildings right now, it even continues as an extension of the big company. Most of their assets are the same, their product and the employees are different. If this small company wants to get a certification, it is possible, right? The small firm wants to get certified In this case, I am confused about how ISO processes can be applied. Because every written procedure policy also affects the members of the other company. Awareness training will have to be given to them as well, and the management of the other firm will have to agree with it. In this case, should these two companies get ISO 27001 certificate together? Or can only this small firm get this certificate? Or should the two companies separate everything thoroughly before the certificate? Could you help about this point?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Feb 14, 2022

Certifying only the small company is possible, provided it is legally separated from the bigger company, and you can include in the Information Security Management scope only the elements the small company controls (you do not need to separate everything).

For example, in physical terms, this means that this small company should be located on a floor of its own, not shared with employees of the bigger company.

In terms of policies and procedures, they should be divided in a way that you can control all the elements of your documentation, i.e., even if you need to follow the guidelines of the bigger company, you can do that in your own way. For example, you can implement access control in different ways.

Please note that if you find out that implementing such separation is too complex or costly, then an alternative would be to certify both companies, keeping the bigger company scope as small as possible (e.g., including only the processes that directly interact with the small company).

These materials will help you regarding scope definition:

Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 14, 2022

Expert Advice Community