I have the next question. A customer of ours participates in a government tender. He must therefore demonstrate that he meets a number of requirements of the ISO 27001 standard. In total it concerns 200 requirements.
The customer has a very small organization, with an IT organization of 5 people.Almost all IT services are outsourced using Google cloud.
1 - What is the best way to deal with controls like logging, capacity management, cabling security, monitoring system use etc. All the measures associated with this control are followed up by the supplier. Our customer does not know exactly how Google Cloud has implemented the measures for this control. Google cloud is ISO 27001 certified.
Answer: The best way to handle controls managed by suppliers is by means of information security clauses in contracts or service agreements, where these clauses enforce the level of protection you expect from the supplier.
2 - My question is:Is it necessary to explain how these controls are implemented by Google or is a more general reference for example a reference to the certification of google cloud sufficient?
Answer: Since your customer is participating in a government tender you have to consider the tender's rules to identify which level of detail is required to fulfill the tender process. In other words, if the tender rules require you to explain how the controls are implemented, then referencing to Google's certification is not going to be enough.