Should your organization span multiple subsidiaries (organizational units, divisions or sites), you have the option to serve all sites using one ISMS, or each subsidiary can have their own ISMS. This page lays out the differences.

One monolithic ISMS

In this scenario, the main office (holding organization) and all subsidiaries are seen as one organization. This would mean one ISMS is needed (one scope, one risk assessment, one set of controls, one Statement of Applicability).

Pros

  • Requires only one ISMS license
  • No internal (cross division) supplier relations
  • Only one certification audit

Cons

  • A subsidiary cannot be sold including the ISO certification

This scenario is useful in case the subsidiaries share services and/or personnel, albeit from each other or the parent (holding) organization.

Individual ISMS-es

When all subsidiaries have different activities, products or services, one overarching ISMS may be too rigid. To add flexibility, you can consider using one ISMS for each independent subsidiary.

Each will have its scope, risk assessment, selection of controls and Statement of Applicability. It is of course possible to refer to content (e.g. company wide policies or procedures) from one ISMS to the other.

Pros

  • Each subsidiary can be sold including their ISO certification

Cons

  • Requires multiple ISMS license
  • Multiple certification audits

This scenario is recommended in case one or more subsidiaries might be sold off in the (near) future.


Curious to see how prepared your organization is for ISO 27001? Answer 10 simple questions and get instant feedback. Your result will show your current strengths and highlight opportunities to improve security in a practical way.


More frequently asked questions

100% first time success! Start with confidence.

Order now   Book a demo