I am curious what the boundaries are from a technology standpoint? I was told that you could have many "trusted" connections to non ISO 27000 compliant entities and it would not affect the certification of the original environment. It did not matter how these other environments were configured nor if they were ISO 27000 compliant. I know with PCI and other such controls this would matter (one could have a stateful firewall dividing the environments for PCI - amongst other considerations). It is obvious that if you had an open connection between environments that had poor security, it would represent a higher risk, but could such changes affect the certification of an environment from an ISO 27000 perspective? While I have read through the controls and it seems wrong to me, I don't understand how the full certification process takes place. My skepticism abounds. Can you provide a link justifying your perspective?