Blog
Product Update
July 15, 2026
Approx min read

How to manage compliance across multiple entities and products

A certificate or assessment covers a defined scope: one legal entity, one product, one site, not a group as a whole. Managing compliance across multiple entities, products or divisions means running each obligation against the scope it actually covers, then reusing the underlying work wherever it applies. Naq does this with compliance instances, a separate scoped instance of a framework for each entity or product, sharing one control and evidence library.

Why doesn't one ISO 27001 certificate cover a whole group?

ISO 27001 certification applies to a documented scope, not to whoever owns the company. Clause 4.3 of the standard requires you to define the boundaries of your information security management system, the ISMS, and keep that definition as a record. A certificate held by one division against its own scope does not extend to sister companies.

The ISMS is the set of policies, controls and processes an organisation uses to manage information security. ISO 27001 certifies that system against a boundary you set. Clause 4.3 of ISO/IEC 27001:2022 requires you to determine the boundaries and applicability of the ISMS, taking account of the internal and external issues in Clause 4.1, the interested parties in Clause 4.2, and the interfaces and dependencies with other organisations. That scope has to be documented information.

The practical result is that a group with several trading companies rarely sits inside one scope. When the organisation changes, through a new division, a new site or an acquisition, the scope has to be reviewed and updated, which the standard handles through management review in Clause 9.3 and improvement in Clause 10. Worth being clear on who issues what: Naq does not issue the certificate. A UKAS-accredited certification body assesses the ISMS and grants ISO 27001. Naq holds and evidences the work that gets you to that assessment. You can read how scope and evidence fit together on the ISO 27001 framework page.

How do you manage compliance across multiple products?

Product assessments run per product, and per version. The NHS Digital Technology Assessment Criteria, known as DTAC, is completed for a specific product. Some criteria sit with the product and each release, others with the developer organisation. Every version of a product needs its own current DTAC form and its own evidence, recorded for audit.

DTAC version 2 has been mandatory since 6 April 2026. The supplier completes it across five assessment areas; the buying NHS or care organisation assures the result. A company with three products completes three separate DTAC assessments, and a new release of any of them means a fresh form and fresh evidence, logged as product, version and result so an assessor can see exactly what was assessed and when.

Clinical safety adds a second product-level obligation. Under DCB0129, the manufacturer of a health IT product is responsible for clinical safety, with sign-off from a Clinical Safety Officer. DCB0160 is the separate obligation that falls on the organisation deploying the product into a care setting. The two are distinct and sit with different parties, so a product you build carries DCB0129, and the trust or provider running it carries DCB0160. Naq treats each product as its own record, so its DTAC and clinical safety work stay attached to that product and do not blur into the rest of the business.

How does one platform hold several entities without merging them?

Naq models each obligation as a compliance instance, a scoped copy of a framework with its own boundaries, schedule and progress. You can hold two ISO 27001 instances for two divisions, or a DTAC instance for each product. Each entity keeps its own posture, frameworks and evidence inside one platform, without being folded into a single shared record.

A scope on an instance can be set to the whole organisation, a subset of it, a product or version, a site, a contract, or a division. That list maps directly onto how ISO 27001 lets you draw a scope boundary, so what you assess in the platform matches what the certificate or submission actually covers. Frameworks behave according to their type: ISO 27001 is a certificate, issued by a third party with an expiry; DSPT and DTAC are submission-based evidence packs with no certificate; UK GDPR is an ongoing legal duty rather than a point-in-time pass.

This is multi-tenancy in the plain sense: one platform, many entities, each with its own separate scope. Which modules are switched on for a given entity is governed by subscription entitlement, so a smaller subsidiary can run one or two frameworks while a larger division runs more. Where a requirement genuinely does not apply to an entity, it is marked Not Applicable with a written justification that is logged, so the gap is explained rather than left blank.

Do you have to re-evidence every company in a group from scratch?

No. A control or evidence document proven for one entity is reusable across other entities and instances wherever it applies. One control can satisfy requirements across several frameworks at once, and a group-standard policy authored once stands as evidence on every instance that relies on it, so the work is done once and counted where it is relevant.

This is the group-scale version of mapping once and counting everywhere. The reuse is governed by applicability and scope, not broadcast automatically to every company. Where a control applies to both divisions, the same proven control and its evidence are attached across both ISO 27001 instances. Where it does not apply to one of them, it is not forced on; that entity marks the requirement Not Applicable with its logged justification. A group-standard information security policy, held once in Documents, can act as evidence on the shared controls that reference it. When that policy is versioned, the control owner re-confirms it before the new version counts, so every instance stays tied to a current, checked source.

The commercial effect is that a growing group standardises a baseline instead of rebuilding compliance for each new company. For more on how one piece of evidence carries across frameworks, see reusing compliance evidence across frameworks.

How do you onboard an acquired company's compliance?

An acquired company arrives with its own controls, evidence and gaps. Bring it into the platform as its own scoped instance, assess its current state, then reuse the group's already-proven controls wherever they apply. The acquired entity keeps its own posture, aligned to the group baseline rather than overwritten by it.

Clause 4.3's requirement to account for interfaces and dependencies with other organisations is the hook here. When the group changes shape, the scope is reviewed, and the acquired business is either brought inside an existing scope or run as its own scoped ISMS while it aligns. The job is practical: work out what the acquired company already has, decide what belongs in scope, and reuse controls and evidence the group has already proven, which turns a full re-audit into a targeted gap-closing exercise.

For a sales lead, this is what keeps a deal moving. When a prospect's procurement team asks the combined business to show its compliance position, each entity can produce its own current, scoped evidence, and the group keeps clearing buyer due diligence as it grows, even as it adds new companies.

What does this look like in practice?

Take a group with two divisions and one digital health product. It carries several obligations at once: two information security scopes and a product that needs both a DTAC assessment and clinical safety work. Each obligation is scoped to what it covers, and they all share one control and evidence library inside a single platform.

Division A holds its own ISO 27001 instance, scoped to Division A, with its own documented scope and schedule. Division B holds a separate ISO 27001 instance, scoped to Division B. That is two instances, two documented scopes and two schedules, because one certificate cannot quietly cover both companies.

The digital health product carries its own NHS DTAC version 2 instance, which the group completes as the supplier and the buying NHS organisation assures, plus DCB0129 clinical safety signed off by an in-house Clinical Safety Officer. When the product ships a new version, that version gets a fresh DTAC form and fresh evidence.

Group-standard policies live once in Documents and stand as evidence on the shared controls that reference them. Where a control applies to both divisions, the same proven control and evidence are reused across both ISO 27001 instances. Where a requirement does not apply to one division, it is marked Not Applicable with a logged justification. Each entity keeps its own auditable posture, and the group works from one shared baseline, with proven controls carried into each new company where they apply. The clinical safety side of this is covered in more depth in what a DCB0129 hazard log needs to include.

FAQ

Can one ISO 27001 certificate cover a whole group?

Not automatically. ISO 27001 certification applies to a documented scope set under Clause 4.3 of ISO/IEC 27001:2022, not to corporate ownership. A certificate held by one entity against its own scope does not extend to sister companies or later acquisitions unless they are brought inside that scope, which requires the scope to be reviewed and updated.

Does each product version need its own DTAC?

Yes. NHS DTAC is completed per product, and each version needs its own current form and evidence. Some criteria apply to the specific product and release, others to the developer organisation. The result is recorded as product, version and outcome so an assessor can see exactly what was assessed.

Do you have to redo compliance for every company in a group?

No. A control or evidence document proven for one entity is reusable across other entities and instances wherever it applies. A group-standard policy authored once can stand as evidence on every instance that relies on it, so a growing group standardises a baseline rather than rebuilding compliance company by company.

What is a compliance scope?

A compliance scope is the defined boundary an assessment or certificate covers: which parts of the organisation, which sites, which products or which contracts are included. ISO 27001 Clause 4.3 requires this boundary to be determined and documented. In Naq, each compliance instance carries its own scope, so an assessment matches what it actually covers.

How do you onboard an acquired company's compliance?

Bring the acquired company into the platform as its own scoped instance, assess its current controls, evidence and gaps, then reuse the group's already-proven controls and evidence wherever they apply. The entity keeps its own posture and is aligned to the group baseline rather than rebuilt from scratch.

Does Naq issue the ISO 27001 certificate?

No. A UKAS-accredited certification body assesses the ISMS and issues ISO 27001. Naq holds and evidences the controls, policies and records that get you ready for that assessment and keep the certificate current across each scoped instance.

Book a demo

See how compliance instances hold each entity, product and division against its own scope while sharing one evidence library. Book a demo with Naq.

Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now