One of our vendors already has their ISO 27002 certification [for a while now] and when I asked about obtaining a copy of the documentation and verification of their certification, they provided us with the first three pages of their ISO 27002 Risk Assessment report that included the title page, table of content and introduction (stating who performed certification and list of control area. Further, they said that because the ISO certification documents contains such detailed, confidential information, they do not allow any of the rest of their documentation to leave their office. They will allow others with vested interest (such as our company) to schedule certified ISO auditors to visit their offices to review their documentation.
Our question: Does ISO 27001 / 27002 have any terms / requirements / documentation that specify that the documentation cannot leave the companys office?
If so, could you point me in a direction that provides us with that info or at least a summary?
We look forward to hearing from you at your earliest convenience.
ISO 27001 nor ISO 27002 do not have strict requirements that would prevent the documentation to be disclosed out of the company office.