Guest
ISO 27001 Enquiry
Consider the following Scenario,
Organization A engages a vendor for its SAAS services to manage System A. System A is not an on premise SAAS system and is managed by the vendor which is currently ISO 27001 certified.
If Organization A wishes to obtain ISO 27001 certification for System A, will Organization A be exempt from certain clauses in the ISO 27001 standard that are managed by the vendor? For example, physical security and encryption controls.
In summary, I would like to gain a better understanding on how to go about preparing my organization for ISO certification for systems which are off premise SAAS solutions managed by an ISO certified third party vendor.
Assign topic to the user
Expert
Rhand Leal
Jun 07, 2022
For your organization to be compliant with ISO 27001 when handling off-premises systems managed by third parties (being they ISO 27001 certified or not), your organization needs to:
- identify relevant risks and applicable legal requirements these suppliers must comply to
- communicate such risks and legal requirements to the suppliers.
Based on the risks and legal requirements, your organization and the supplier will define applicable security controls to best fulfill them. Normally the agreed controls will be enforced by means of contracts or service agreements.
These articles will provide you with a further explanation of supplier security management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
Comment as guest or Sign in
Jun 07, 2022
Jun 07, 2022
Jun 07, 2022