Should your organization span multiple subsidiaries (organizational units, divisions or sites), you have the option to serve all sites using one ISMS, or each subsidiary can have their own ISMS. This page lays out the differences.
One monolithic ISMS
In this scenario, the main office (holding organization) and all subsidiaries are seen as one organization. This would mean one ISMS is needed (one scope, one risk assessment, one set of controls, one Statement of Applicability).
Pros
- Requires only one ISMS license
- No internal (cross division) supplier relations
- Only one certification audit
Cons
- A subsidiary cannot be sold including the ISO certification
This scenario is useful in case the subsidiaries share services and/or personnel, albeit from each other or the parent (holding) organization.
Individual ISMS-es
When all subsidiaries have different activities, products or services, one overarching ISMS may be too rigid. To add flexibility, you can consider using one ISMS for each independent subsidiary.
Each will have its scope, risk assessment, selection of controls and Statement of Applicability. It is of course possible to refer to content (e.g. company wide policies or procedures) from one ISMS to the other.
Pros
- Each subsidiary can be sold including their ISO certification
Cons
- Requires multiple ISMS license
- Multiple certification audits
This scenario is recommended in case one or more subsidiaries might be sold off in the (near) future.
Curious to see how prepared your organization is for ISO 27001? Answer 10 simple questions and get instant feedback. Your result will show your current strengths and highlight opportunities to improve security in a practical way.
More frequently asked questions
About Instant 27001 (the product)