Guest user Created: Nov 17, 2016 Last commented: Nov 17, 2016

Evidence about providers

Considering three providers (A is ISO 27001 certified, B is following ISO 27001 but is NOT certified, and C does not follow ISO 27001 best practices), regarding accreditation, what I really need to have as evidence that they do there job correctly?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Nov 17, 2016

Answer: The point is not whether these providers are ISO 27001 certified or not, the point is whether they comply fully with the security clauses that are part of the contract they have signed with you.

The evidence about this you can get in couple of ways:
- They can send you reports
- You can send your auditor to their company
- You can send third-party auditor to their company to check whether they are compliant with the contract

This article explains more how this relationship with suppliers work: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

These materials will also help you regarding handling suppliers:
- Book Secure & Simple: A Small-Busines s Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Nov 17, 2016

Expert Advice Community