Question ISO 27001 implementation
Assign topic to the user
Certifying only the small company is possible, provided it is legally separated from the bigger company, and you can include in the Information Security Management scope only the elements the small company controls (you do not need to separate everything).
For example, in physical terms, this means that this small company should be located on a floor of its own, not shared with employees of the bigger company.
In terms of policies and procedures, they should be divided in a way that you can control all the elements of your documentation, i.e., even if you need to follow the guidelines of the bigger company, you can do that in your own way. For example, you can implement access control in different ways.
Please note that if you find out that implementing such separation is too complex or costly, then an alternative would be to certify both companies, keeping the bigger company scope as small as possible (e.g., including only the processes that directly interact with the small company).
These materials will help you regarding scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Comment as guest or Sign in
Feb 14, 2022