Multi-Site Certification
Expanding ISO 27001 across multiple sites requires strategic planning.
Multi-Site Sampling
IAF MD 1 Guidance: Certification bodies use sampling.
Sample Size: Square root of N sites (rounded up)
- 4 sites → 2 audited initially
- 9 sites → 3 audited initially
- 16 sites → 4 audited initially
HQ always audited + sample of other sites
Certification Models
Model 1: Integrated Single Certificate
- One ISMS spanning all sites
- Unified policies
- Centralized management
Model 2: Central Plus Satellites
- Central ISMS at HQ
- Local implementation at sites
- Some customization allowed
Model 3: Federated
- Each site has local ISMS
- Corporate oversight
- More local autonomy
Implementation Phases
Phase 1: Establish central ISMS (HQ) - 6-12 months Phase 2: Pilot additional site - 6-18 months Phase 3: Phased rollout - Years 1-3 Phase 4: Full coverage - Year 3+
Critical Success Factors
- Central Coordination: ISMS manager/team
- Site Champions: Local representatives
- Standardized Foundation: Core elements same everywhere
- Controlled Customization: What can/cannot be customized
- Centralized Documentation: Single source of truth
- Consistent Evidence: Standardized collection
Common Challenges
- Inconsistent implementation
- Communication gaps
- Evidence collection burden
- Resource constraints
- Cultural differences
Solutions: Strong oversight, automation, clear accountability
Next Lesson: Automation and tools.