ISO 27001 ISMS scope for companies with subsidiaries


Hi all,

I am very confused about the scope of the ISMS that we have to implement for our company and every thoughts will be much appreciated.

The company I work for is a holding marketing company which has many subsidiaries, all the operational services (IT, HR, Finance) are managed by us in the mother company.
One of the subsidiaries who collects data from clients, and then process and develop data, always been asking by client for their data security and information security audit. The management team finally made their decision to implement ISO 27001 and they are 100% in to support it, but we still don't know how to define the scope.

Should we determine only the subsidiary company along with the operation unit of the mother company?
Should it be the mother company operation unit which then it will be applied to all subsidiaries?
Should finance even be in the scope since they don't collect clients data?

It would be great if someone elaborate it.

Many thanks in advance.
Top Bottom