Guest user Created: Nov 03, 2021 Last commented: Nov 03, 2021

Compliance review

If you are performing a compliance review of a company who says they are ISO 27001 certified, what can you ask for to determine if they are certified and meets my companies security posture as a vendor? Can I obtain an audit report and annex A?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Nov 03, 2021

To look for if a company is certified, you can ask it who its certification body is, and its certification number, so you can verify if the certification is in good standing.

Regarding the evaluation of its security posture, you can ask for its Statement of Applicability (which contains information about applied controls), and the latest performed certification body’s audit report (which will inform the results of the latest audit performed by the certification body).

Please note that, unless you have a contract with this company ensuring the release of the SoA and audit report, the release of these documents is a decision of the company (in this case, if they decide to release the documents, they probably will require the signing of a Nondisclosure Agreement with your company).

This article will provide you a further explanation about the Statement of Applicability:

The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Nov 03, 2021

Expert Advice Community