Expert Advice Community

Guest

Information in third party systems

  Quote
Guest
Guest user Created:   Jun 07, 2021 Last commented:   Jun 07, 2021

Information in third party systems

Hello,

First at all, thank you very much for your help. It is helping me to understand how to do things in a better and simpler way.

Another question: 

Q1 – HR department has most of systems they use externalized with 3rd parties. These covers our official web site, personnel information, Payroll and other tools. The 3rd parties do the technical management, and our HR use the systems maintaining the information. My guess is that these systems aren’t assets we need to protect, because are out of our control, but the information belong to us.

How should treat this case in terms of assets, risk assessments and controls?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 07, 2021

In case the information you want your Information Security Management System to protect interact with these systems, then you need to ensure these systems fulfill your information security standards.

In cases like these, where you find relevant risks to information that are related to systems managed by third parties, you need to consider controls from section A.15 (Supplier relationships), which will help you enforce your security needs and requirements upon suppliers.

For information about controls from section A.15 (Supplier relationships), I suggest you look at these articles:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 07, 2021

Jun 07, 2021

Suggested Topics

Guest user Created:   Mar 10, 2021 ISO 27001 & 22301
Replies: 1
0 0

27001 ISMS Scope Question

Guest user Created:   May 07, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment