cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Newcomer I

ISO certification for subsidiary organization

Please answer if you have experience with this. 

 

Let's say there are two companies.

-Company A is a holding company

-Company B is Company A's subsidiary. 

 

Company A gets a portion of their organization Certified for ISO 27001 with exclusions explicitly stated for Company B.

 

Can company B utilize any of Company A's processes and policies as a part of their ISMS or do they need an entirely different set of policies and documentation to certify their ISMS?

1 Solution

Accepted Solutions
Newcomer I

Re: ISO certification for subsidiary organization

Hi Bill,

 

The Short answer is yes, but you will still need to have an IS Policy for the child company and correctly reference upwards. The language is crucial to cover the subsidiary. The parent ISO certification does not transfer to the child as the SOA (Scope) is different and the companies are separate entities.

 

The way around the issue is to have a Vendor Compliance Policy and apply it to the Parent who is supply a service.

 

For example; In Australia, NSW eHealth supply services to the Local Health Districts (LHDs). The LHDs reference eHealth policies and procedures in their IS Policy as part of their framework. The eHealth policies explicitly  state that their policies and procedures apply to the LHDs when using their services. So the Parent company may need to make some accommodating wording changes to get you across the line.  You will still need an Information Security Policy, this is not negotiable.

View solution in original post

1 Reply
Newcomer I

Re: ISO certification for subsidiary organization

Hi Bill,

 

The Short answer is yes, but you will still need to have an IS Policy for the child company and correctly reference upwards. The language is crucial to cover the subsidiary. The parent ISO certification does not transfer to the child as the SOA (Scope) is different and the companies are separate entities.

 

The way around the issue is to have a Vendor Compliance Policy and apply it to the Parent who is supply a service.

 

For example; In Australia, NSW eHealth supply services to the Local Health Districts (LHDs). The LHDs reference eHealth policies and procedures in their IS Policy as part of their framework. The eHealth policies explicitly  state that their policies and procedures apply to the LHDs when using their services. So the Parent company may need to make some accommodating wording changes to get you across the line.  You will still need an Information Security Policy, this is not negotiable.

View solution in original post