Does ISO 27001 have any requirements that the documentation cannot leave the com
Assign topic to the user
One of our vendors already has their ISO 27002 certification [for a while now] and when I asked about obtaining a copy of the documentation and verification of their certification, they provided us with the first three pages of their ISO 27002 Risk Assessment report that included the title page, table of content and introduction (stating who performed certification and list of control area. Further, they said that because the ISO certification documents contains such detailed, confidential information, they do not allow any of the rest of their documentation to leave their office. They will allow others with vested interest (such as our company) to schedule certified ISO auditors to visit their offices to review their documentation.
Our question: Does ISO 27001 / 27002 have any terms / requirements / documentation that specify that the documentation cannot leave the companys office?
If so, could you point me in a direction that provides us with that info or at least a summary?
We look forward to hearing from you at your earliest convenience.
Answer:
ISO 27001 nor ISO 27002 do not have strict requirements that would prevent the documentation to be disclosed out of the company office.
However, ISO 27001 does allow a company to set its own rules for distribution and access to their documentation - this is regulated with sections A.8.2 Information classification, and A.9 Access control. See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
By the way, a company cannot get certified against ISO 27002, only against ISO 27001 - see this article: ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Comment as guest or Sign in
Jan 12, 2016