ISO 27001 is a very useful certification for just about any company operating abroad. Comparable in many ways to NIST-based frameworks like CMMC in the United States, ISO 27001 is an international standard built to help organizations of all sizes, in all industries, across all regions of the world, to obtain a high level of standardized information security.
A common question you might have, if you’re part of a larger or growing organization, is how to handle ISO 27001 certification when you’re expanding.
ISO 27001 encompasses both digital and physical security. That’s easy when you have one location and your operations are primarily based on the cloud or in a centralized server system. It’s a lot trickier when you have multiple locations, each with its own networking infrastructure.
For being as far-reaching as it is, the ISO 27001 framework has to encompass all kinds of different businesses with different structures. Naturally, they have an option for this: Multi-Site Certification.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontSummary unavailable. Check response or configuration.
Two Ways to Handle Multi-Site Certification
First, let’s talk about the two different ways that businesses can implement ISO 27001 across multiple sites.
These two options are to obtain individual site certifications or to obtain a single overarching multi-site certification.
Which one you choose depends heavily on the variance between sites, your expectations of growth, and the amount you’re willing to invest in certification.
Pros and Cons of Individual Certifications
Obtaining individual certifications means each individual site has its own ISO 27001 certification license.
This is the best option for flexibility, and if your business might be selling off or parting ways with specific facilities. It’s most common when different sites are structured as subsidiaries rather than branches or franchises, and it’s also best used when each facility has a different purpose (such as a head office location, a manufacturing location, a warehouse location, and a fulfillment center location).
In it, each individual site undergoes the ISO 27001 certification process as if it were the sum total of the business. That facility writes its own risk assessment, develops its own scope, writes its own statement of applicability, and determines its own selection of relevant controls. Each site undergoes its own audit and validation process, with its own evidence and artifacts.
The biggest downside is the legwork and administration involved. If you thought going through one ISO 27001 process was difficult and time-consuming, wait until every individual facility has to do its own. Everyone has their own audits, their own timelines, their own paperwork, and more. The administration alone is immense.
On the upside, there are a few benefits.
- Subsidiaries can easily be merged off or sold without affecting the overall ISO 27001 ISMS for the organization.
- One lagging subsidiary won’t jeopardize the certification for the whole of the organization.
- Potentially, the costs can be lower than doing a full multi-site certification.
Multi-site certification isn’t a bad option, though, so it’s also worth looking into.
Pros and Cons of Multi-Site Certifications
A multi-site certification treats all of your different sites as one organization for the purposes of certification. Your business as a whole earns the certification, with individual sites being evaluated as components of the whole.
You have one ISMS, one scope, one risk assessment, one statement of applicability, one set of evidence and artifacts, and so on.
Immediately, the administrative burden is lower. The scope will be larger, of course, and the controls will be variable from location to location, but it all contributes to one overall certification.
This option tends to be best for deeply interconnected businesses, where each location is a part of the whole and the chances of it being spun off or split up are slim. It’s also best when every location is essentially a carbon copy of every other location. The ability to facilitate easy movement of employees from one location to another, and even inter-departmental communications, shouldn’t be underestimated either.
In the past, a multi-site certification was very expensive. Despite being one certification, auditors would need to travel to each location for interviews, inspections, and reviews. The scope was huge, and the costs related to travel, logistics, hotel stays, and more were all added to your final bill. Meanwhile, much of this effort is duplicated nearly identically across locations.
The 2024 update to ISO 27001 allowed for streamlining of this process. Digital and remote interviews minimize time and travel, and for larger organizations with many identical locations, sampling could be used to test them, speeding up the process. The formula used is a square root; the sampling must include the square root number of locations, so a business with 25 locations needs 5 certified, and one with 100 locations needs 10 certified.
Consistency, efficiency, and simplicity; these are the primary benefits of a multi-site certification over individual certifications.
There’s one downside, however: what affects one site affects them all. If one site fails the audit or has a critical fault, the whole organization is put into jeopardy. The bar for ongoing surveillance and corrective action is consequently much, much higher.
How to Qualify for Multi-Site ISO 27001 Certification
If you think your business has enough locations that using a multi-site certification would be beneficial, how do you know if you qualify?
The key is centralization of the ISMS. Think about how businesses with many franchises around the world or sprawling operations (McDonald’s, Nike, and so on) have regional and global headquarters. These aren’t just hubs of administrative work. They’re the central point through which data passes.
Essentially, individual locations can’t be fully independent. Risks, threat vectors, information handling, and other processes need to be handled through a centralized process, with people in the centralized location interfacing with it.
Multi-site certification also requires that all sites perform similar activities. If there’s a lack of uniformity in function, the standards of security and the applicable controls vary too much, and a multi-site audit might not be beneficial.
If a risk, threat, or decision can be handled entirely from the branch location, it’s likely too independent for an ISO 27001 auditor to be able to skip over that location and trust that it’s secure.
An auditor will check with the central location first. There, they will verify things like:
- Making sure that the business has operational control of all sites included in the certificate.
- Making sure that procedures are in place to ensure conformity across subsidiary branches according to central tenets.
- Making sure that elements of continuous monitoring and ongoing validation are performed in the central office.
When a multi-site certification is issued, there are multiple certificates. The organization as a whole has an umbrella certificate, and each site has its own sub-certificate that is valid only as part of the overall umbrella. This means that if the subsidiary were to be sold off or merged with another organization, the sub-certificate would not be valid, and they would have to join the ISMS and certification for the new organization.
Overall, consistency is key. Sites should work the same way, have the same processes, pass the same internal and external audits to the same standards, and be subject to the same monitoring and same corrective actions as necessary.
How the Multi-Site Certification Process Works
Undergoing an ISO 27001 audit is stressful, expensive, and time-consuming. How is it any different for a multi-site certification?
The first step is planning. You’ll want to review your organization and determine whether or not a multi-site certification is appropriate, according to the criteria above.
At the same time, it’s a good idea to do anything you can to limit the scope. Scoping is critical for all frameworks, but even more so for a multi-site certification. Auditors will have to visit and review each site. The more you narrow the scope, the less they have to do, so the faster they can do it, and the less expensive it is to have it done.
Next, you put together your application and submit it to the relevant certifying body for ISO 27001 in your region. This body will make the determination of whether or not a multi-site certification is applicable to your business, and if it is, you can proceed.
After that, you do the legwork to get your sites up to snuff. The usual ISO 27001 process applies here, just to each site and the organization as a whole. Understand the scope, determine the risks and relevant controls, figure out the appropriate implementation, do the implementation, gather the relevant artifacts and proof, and establish monitoring. Crazy how a year of work can be summed up in a single sentence, right?
Once your organization is ready, you undergo the initial audit. Part of your planning was to determine whether or not sampling is allowed, and how many sites need to be sampled; the auditor, if they agree, will follow that sampling plan. You don’t get to pick which sites are audited, but you do get some influence over how many need to be audited.
Once you pass the audit and obtain your multi-site certification, operations continue just as they would under any other ISO 27001-certified business. You will perform sampling audits for surveillance regularly, and your recertification audits will be conducted as normal.
In all cases where sampling is involved, the choice of which sites to sample needs to be new. Some sites will be sampled repeatedly, and others might not be sampled at all, but that’s fine. The point is that any site can be sampled at any time, so all sites need to meet the standards.
Tips for Making the Multi-Site Certification Process Smooth
If you’re interested in pursuing multi-site certification, there are some things you can do to make it easier, faster, cheaper, or more effective along the way.
Shop around for your certification body. You aren’t locked into one certifying body; there are always a bunch of options, no matter where you are in the world. Solicit quotes and send applications to several options, and pick the one that agrees with your sampling plan and has a more affordable quote, where relevant. While all certifying bodies follow the same ISMS-validation playbook and use the same ISO 27001 standards, the way they go about it can vary.
Make sure to take advantage of sampling. Developing a sampling plan based on the number and type of sites in your organization is the key to cutting costs and speeding up the process. You need to have a sampling plan going into the application phase, which you’ll have approved by the certification body you’re working with.
Ensure a centralized ISMS. The main structure of a multi-site certification is an ISMS that passes through a centralized hub, from which all control is given and all risks are managed. This ensures consistency across sites, but more importantly, an easier path for auditing and spot-checking through sampling.
Use remote interviews whenever possible. This is another new benefit from the 2024 update to ISO 27001: the ability to use more remote interviews. Each trip an auditor takes to a site can cost thousands of dollars, so video calls can save an immense amount of money and time. You can’t fully prevent some on-site visits (especially where physical security is involved), but any you can cut out is a benefit.
Trim your scope as much as possible. Narrow, focused scoping is the key to inexpensive, successful, and secure implementation of nearly every security framework. ISO 27001 is no different. The tighter the boundary, the less needs to be heavily secured, and the less needs to be audited. Draw lines early and tighten them when possible.
Make use of automation and centralized tools. Automation helps ensure easy compliance with technical security standards and the generation of documentation and proof. Machine-readable artifacts can be more trustworthy and faster to validate than human-made ones. For nearly everything, you can use a platform like the Ignyte Assurance Platform for gathering, automating, tracking, and iterating on security. To see how it works with ISO 27001, give us a call to book a demo. We trust that you’ll love it.
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.