We have multiple entities in different countries but using the same IT infrastructure. Is one ISO 27001 certificate enough, or do we need separate certificates?
In simple terms, yes—if all your entities use the same IT infrastructure and the parent company’s certification covers this shared system, one ISO 27001 certificate can be used for the entire group.
However, if the entities have different IT systems or require distinct security measures, then no, you would need separate certifications for each entity.
Here’s how it generally works: This is the case because each ISO 27001 certification provided belongs to the entity being provided with the certification. This means that if an organization is being evaluated individually, then every specific tangible item that is a component of the evaluated organization should have a certification of its own.
Nevertheless, there is a certain rigidity if all your entities are rolling out common IT systems and information solutions.
In such circumstances, a conceptual solution may be to apply a single ISO 27001 certificate reference to the consolidated entity of the parent company, provided that the ISO 27001 certificate’s scope also covers the other entities connected by shared information technology infrastructure.
However, this plan can be effective and cheap if implemented in organizations with integrated systems in several centers. It has fewer paperwork and certifications to produce as you focus your compliance on one organization.
However, if there are diverse IT systems in the entities or the underneath information systems are rather diverse, then each entity will require the ISO 27001 certification. This is because the certification has to correspond to the particular controls and security measures used for every system.
Different certifications help to understand that each organization has its specific security needs and threats, meet them, and confirm their compliance.
What steps should we take to determine if our IT infrastructure is considered the same across all entities?
To determine if your IT infrastructure is considered the same across all entities:
- Start by reviewing the technical and security setups used in each location
- Ensure that the systems, processes, and controls are identical or sufficiently aligned
- Consult with your ISO 27001 certification body to confirm that the scope of your certification accurately reflects this shared infrastructure
They can guide you on how to include all relevant entities under a single certificate. If there are differences in IT systems or controls, you’ll need separate certifications for each entity to ensure compliance with ISO 27001 standards.
Was this article helpful?
Sprinto: Your growth superpower
Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.
