Guest user Created: Jun 07, 2022 Last commented: Jun 07, 2022

ISO 27001 Enquiry

Consider the following Scenario, Organization A engages a vendor for its SAAS services to manage System A. System A is not an on premise SAAS system and is managed by the vendor which is currently ISO 27001 certified. If Organization A wishes to obtain ISO 27001 certification for System A, will Organization A be exempt from certain clauses in the ISO 27001 standard that are managed by the vendor? For example, physical security and encryption controls. In summary, I would like to gain a better understanding on how to go about preparing my organization for ISO certification for systems which are off premise SAAS solutions managed by an ISO certified third party vendor.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 07, 2022

For your organization to be compliant with ISO 27001 when handling off-premises systems managed by third parties (being they ISO 27001 certified or not), your organization needs to:

identify relevant risks and applicable legal requirements these suppliers must comply to
communicate such risks and legal requirements to the suppliers.

Based on the risks and legal requirements, your organization and the supplier will define applicable security controls to best fulfill them. Normally the agreed controls will be enforced by means of contracts or service agreements.

These articles will provide you with a further explanation of supplier security management:

6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 07, 2022

Expert Advice Community