Expert Advice Community

Guest

Compliance review

  Quote
Guest
Guest user Created:   Nov 03, 2021 Last commented:   Nov 03, 2021

Compliance review

If you are performing a compliance review of a company who says they are ISO 27001 certified, what can you ask for to determine if they are certified and meets my companies security posture as a vendor? Can I obtain an audit report and annex A?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 03, 2021

To look for if a company is certified, you can ask it who its certification body is, and its certification number, so you can verify if the certification is in good standing.

Regarding the evaluation of its security posture, you can ask for its Statement of Applicability (which contains information about applied controls), and the latest performed certification body’s audit report (which will inform the results of the latest audit performed by the certification body).

Please note that, unless you have a contract with this company ensuring the release of the SoA and audit report, the release of these documents is a decision of the company (in this case, if they decide to release the documents, they probably will require the signing of a Nondisclosure Agreement with your company).

This article will provide you a further explanation about the Statement of Applicability:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 03, 2021

Nov 03, 2021

Suggested Topics

Guest user Created:   Sep 24, 2021 ISO 27001 & 22301
Replies: 1
0 0

Documentation of requirements

Guest user Created:   Nov 19, 2021 ISO 27001 & 22301
Replies: 1
0 0

Document references

Guest user Created:   Apr 18, 2018 ISO 27001 & 22301
Replies: 1
0 0

Template content