Expert Advice Community

Guest

Does ISO 27001 have any requirements that the documentation cannot leave the com

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Does ISO 27001 have any requirements that the documentation cannot leave the com

We are hoping that you can assist us with a question that’s come up while we’re developing our ISO 27001 documentation.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 13, 2016
One of our vendors already has their ISO 27002 certification [for a while now] and when I asked about obtaining a copy of the documentation and verification of their certification, they provided us with the first three pages of their ISO 27002 Risk Assessment report  that included the title page, table of content and introduction (stating who performed certification and list of control area. Further, they said that because the ISO certification documents contains such detailed, confidential information, they do not allow any of the rest of their documentation to leave their office. They will allow others with vested interest (such as our company) to schedule certified ISO auditors to visit their offices to review their documentation.
Our question: Does ISO 27001 / 27002 have any terms / requirements / documentation that specify that the documentation cannot leave the company’s office?
If so, could you point me in a direction that provides us with that info or at least a summary?
We look forward to hearing from you at your earliest convenience.

Answer:

ISO 27001 nor ISO 27002 do not have strict requirements that would prevent the documentation to be disclosed out of the company office.

However, ISO 27001 does allow a company to set its own rules for distribution and access to their documentation - this is regulated with sections A.8.2 Information classification, and A.9 Access control. See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

By the way, a company cannot get certified against ISO 27002, only against ISO 27001 - see this article: ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016