Consulting and conflict of interest
I have a question and don’t know where I can find the answer of that
I know a CB is not allowed for consulting
1 - When we talk about ISO27001, what is the consulting evidence?
2 - Is pen test or contract for implementation of SOC type of consulting?
3 - Is a CB allow to give these services to their client?
Assign topic to the user
ISO 27001 LEAD IMPLEMENTER COURSE
Become certified as an ISO 27001 consultant.
Enroll for free 
ISO 27001 LEAD IMPLEMENTER COURSE
Become certified as an ISO 27001 consultant.
Enroll for free
ISO 27001 LEAD IMPLEMENTER COURSE
Become certified as an ISO 27001 consultant.
Enroll for free
1 - When we talk about ISO27001, what is the consulting evidence?
I'm assuming you are referring to consulting services hired to support operations related to an ISO 27001 based ISMS, because of your second question about pen test and SOC implementation.
Considering that, ISO 27001 does not prescribe evidences for consulting, but since consulting is a kind of service, you should consider at least these evidences:
- contracts or service agreements (they define what is to be delivered and the rules of execution of the job)
- any evidence of the delivery of what was required (e.g., final reports and all other documents produced by a consultant)
- any evidence of the acceptance by the customer of what was delivered (e.g., acceptance letters, receipts, etc.)
2 - Is pen test or contract for implementation of SOC type of consulting?
Consulting is any kind of service where expert advice is provided, so pen test and implementation of SOC can be provided as a consulting.
3 - Is a CB allow to give these services to their client?
I'm assuming that by CB you are referring to Certification Body.
Considering that, a certification body must avoid performing any other activity to a client in a way that can affect its capacity to evaluate the client in an independent way.
Comment as guest or Sign in
Mar 29, 2020