Could you verify if my below mentioned explanation of Annexure 18 of ISO27001:2013 is correct?
ISO27001:2013 Annexure 18 Compliance: talks about regulatory and compliance breaches.
If organization outsources any of its processes with non disclosure agreements and 3rd party vendor gets involved in any kind of data breach, then the annexure control that states, "Information security is IMPLEMENTED AND EFFECTIVE" is non complied.
Auditors should take this into account and look for any data breaches that were reported not only in the audit period but also if any preventive action was taken after the last reported breach. And incident response action took place to control the damage.
The number of data breaches occuring are telling a different story.
Misuse or abuse of customer data is not a behavior issue. IT IS CRIME.
End customers not reporting data breaches is a system vulnerability. This does not mean at all that third party vendors have not compromised customer data. There had been cyberattacks where local criminals and insider or ex-employees were involved in the crime.
Organization needs, not only to audit it's vendors for policies implemented but also take strict action against every data breach that occurs and report every breach incidence regularly to regulatory authorities.
Your thoughts on this would be appreciated and enlightening.