If there is requirement for iso27001 for ecommerce company, but the company who own the business and who run the ecommerce is different company, who need to take iso 27001 ?
If there is requirement for iso27001 for ecommerce company, but the company who own the business and who run the ecommerce is different company, who need to take iso 27001 ?
Assign topic to the user
I’m assuming that you are asking which company needs to implement ISO 27001 and get certified.
Considering that, the company that needs to implement ISO 27001 and get certified is the one which has a direct business relation to the customer.
For example, if the ecommerce company is directly selling the goods/services, then it is the one who needs to get certified.
On the other hand, if you make deals with the business owner (i.e., the other company only operationalizes the deal), then this is the one who needs to get certified. This way you do not need to verify if every business owner's suppliers that serve you are ISO 27001 certified.
These articles will provide you a further explanation about suppliers’ security management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
This material will also help you regarding suppliers’ security management:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
May 11, 2021