A.14.2.7 - is a developer hired as a consultant considered outsourced development?
Assign topic to the user
Addition:
In general many of us (including my self acting as Compliance Officer) are engaged via our own companies and invoicing for our salary instead of being hired directly by the company. In all other aspects we're the same as the employees - should we treat ourselves as 3rd parties or employees? I mean in terms of security awareness training, confidentiality statements etc.
From an ISO 27001 point of view, when a person works full-time for a company, and the company controls all aspects of his/her work, then this person can be considered as part of the scope - not as a third party.
Alright thanks. But legally I guess we would have to treat him as a third party, right? I mean we have a Third-Party Confidentiality Statement and we have a Employee Confidentiality Statement. Legally it would not make sense to treat a person engaged through his own company as an employee in this aspect. Do you agree?
Yes, legally you have to treat this person as an employee of a third party, but even then you can require this third party that their employees follow the internal rules (policies and procedures) of your own company.
Comment as guest or Sign in
Oct 25, 2021