1 - Our owner/parent company (***) is also our supplier for several IT services (e.g., network). They define rules and settings that automatically apply to us (in their role as owner). However, in their role as supplier they would have to adhere to the standards, we (subsidiary = ***) set for them, correct? How should we formulate this in our ISMS Scope and how should we treat it in the SOA?
Answer: Please note that this question about rules, settings, and standards does not apply to the definition of the ISMS scope.
In the definition of the scope, you only need to mention that your IT services are outsourced (you do not even need to identify the provider in the scope). The detailed information about the outsourcing situation is used when performing a risk assessment.
For further information about scope, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Regarding your scenario, as the owner/parent company, your “supplier” will have the last word in any setting you define regarding the provided services, so you need to agree with them if these settings are needed (based on the results of risk assessment and applicable legal requirements) and feasible. In this situation you have two possible scenarios:
- they agree with your settings and create specific rules for your organization.
- they do not agree with your settings, and you will need to evaluate the related risks to decide on another way to treat them.
2 - And are there any recommendations regarding how such a relationship should be clearly formulated in an SLA?
Answer: The fact that your owner/parent company is also your IT supplier does not affect the regular content a SLA should cover, so you need to define in your SLA items like service description, scope, performance supported, contacts, etc.
This article will provide you a further explanation about SLA:
- What’s the content of an ITIL/ISO 20000 SLA? https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/