Expert Advice Community

Guest

Evidencing requirements

  Quote
Guest
Guest user Created:   Sep 10, 2019 Last commented:   Sep 10, 2019

Evidencing requirements

I have the next question. A customer of ours participates in a government tender. He must therefore demonstrate that he meets a number of requirements of the ISO 27001 standard. In total it concerns 200 requirements.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 10, 2019
The customer has a very small organization, with an IT organization of 5 people.Almost all IT services are outsourced using Google cloud.
1 - What is the best way to deal with controls like logging, capacity management, cabling security, monitoring system use etc. All the measures associated with this control are followed up by the supplier. Our customer does not know exactly how Google Cloud has implemented the measures for this control. Google cloud is ISO 27001 certified.

Answer: The best way to handle controls managed by suppliers is by means of information security clauses in contracts or service agreements, where these clauses enforce the level of protection you expect from the supplier.

For more information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

2 - My question is:Is it necessary to explain how these controls are implemented by Google or is a more general reference for example a reference to the certification of google cloud sufficient?

Answer: Since your customer is participating in a government tender you have to consider the tender's rules to identify which level of detail is required to fulfill the tender process. In other words, if the tender rules require you to explain how the controls are implemented, then referencing to Google's certification is not going to be enough.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 10, 2019

Sep 10, 2019