Good afternoon. Our holding consists of several companies, there are production companies, management companies, mining companies. Our management company has an ISO 27001 certificate. The information security policy applies to all companies of the Holding. How do we format the scope correctly so that it includes all of our companies?
Assign topic to the user
To include all your companies in the management company certification you need to include the processes and locations of the other companies that will be part of the certification.
Please note that this approach requires that all entities will have to go through a re-certification process together.
Adopting a single certificate for all entities or separate ones for each entity is a business decision, depending on their objectives and strategies, but in general, organizations adopt the model of one certification for each entity, because a change in an entity does not impact the certification of other entities.
These articles will provide you with a further explanation of the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Comment as guest or Sign in
May 31, 2023