Table Top Exercise /Drill Validity in meeting ISMS Certification
"Our organization has achieved ISO27001:2013 certification for few years back for a Data Center (DC). Recently, we have established a Security Monitoring Center (SMC) and we are exploring to have the SMC being certified with ISO 27001.
We are considering to extend the existing DC ISMS Certification scope to the SMC or to have the SMC to gain a separate ISMS certification.
Below are my doubts that requires your expert advice:
a) Would it be fine to have the same ISMS team who take care of DC ISMS certification to manage the SMC ISMS Certification programme?
b) Would it be fine to deploy the existing relevant DC ISMS SOPs to the SMC ISMS Certification? Meaning that we maintain a single set of SOPs but to be used for two separate ISMS Certification;DC and SMC respectively.
c) What are the advantages and disadvantages to maintain a single ISMS Certification for both centers versus each center has its own ISMS certification?
Assign topic to the user
Our organization has achieved ISO27001:2013 certification for few years back for a Data Center (DC). Recently, we have established a Security Monitoring Center (SMC) and we are exploring to have the SMC being certified with ISO 27001.
We are considering to extend the existing DC ISMS Certification scope to the SMC or to have the SMC to gain a separate ISMS certification.
Below are my doubts that requires your expert advice:
a) Would it be fine to have the same ISMS team who take care of DC ISMS certification to manage the SMC ISMS Certification programme?
In terms of the ISO 27001 standard, there are no restrictions regarding using one team to manage multiple certifications. In fact, the experience of the team with the previous certification will help make the second implementation easier.
b) Would it be fine to deploy the existing relevant DC ISMS SOPs to the SMC ISMS Certification? Meaning that we maintain a single set of SOPs but to be used for two separate ISMS Certification;DC and SMC respectively.
Commonly used SOPs can be deployed for both DC and SMC, but you need to take care when managing such documents, to ensure that when any changes are made on them you make clear to which scope it is related.
For further information, see:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
c) What are the advantages and disadvantages to maintain a single ISMS Certification for both centers versus each center has its own ISMS certification?
The main advantage of a single certificate is the reduced maintenance and recertification costs because you will need to go through only a single set of surveillance audits and recertification audits.
The main advantage of separated certificates is that if something happens that affects the certificate of one scope it will not have an impact on the other.
It seems to me that you are talking about two different areas in the same company, and it is extremely rare for one company to have two separate certificates for one standard. What normally happens in situations like this is companies deciding to expand the existing ISMS scope to include the new area.
Comment as guest or Sign in
Oct 22, 2020