If you are performing a compliance review of a company who says they are ISO 27001 certified, what can you ask for to determine if they are certified and meets my companies security posture as a vendor? Can I obtain an audit report and annex A?
To look for if a company is certified, you can ask it who its certification body is, and its certification number, so you can verify if the certification is in good standing.
Regarding the evaluation of its security posture, you can ask for its Statement of Applicability (which contains information about applied controls), and the latest performed certification body’s audit report (which will inform the results of the latest audit performed by the certification body).
Please note that, unless you have a contract with this company ensuring the release of the SoA and audit report, the release of these documents is a decision of the company (in this case, if they decide to release the documents, they probably will require the signing of a Nondisclosure Agreement with your company).
This article will provide you a further explanation about the Statement of Applicability: