Expert Advice Community

Guest

ISO 27001 Enquiry

  Quote
Guest
Guest user Created:   Jun 07, 2022 Last commented:   Jun 07, 2022

ISO 27001 Enquiry

Consider the following Scenario, Organization A engages a vendor for its SAAS services to manage System A. System A is not an on premise SAAS system and is managed by the vendor which is currently ISO 27001 certified. If Organization A wishes to obtain ISO 27001 certification for System A, will Organization A be exempt from certain clauses in the ISO 27001 standard that are managed by the vendor? For example, physical security and encryption controls. In summary, I would like to gain a better understanding on how to go about preparing my organization for ISO certification for systems which are off premise SAAS solutions managed by an ISO certified third party vendor.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 07, 2022

For your organization to be compliant with ISO 27001 when handling off-premises systems managed by third parties (being they ISO 27001 certified or not), your organization needs to:

  • identify relevant risks and applicable legal requirements these suppliers must comply to
  • communicate such risks and legal requirements to the suppliers.

Based on the risks and legal requirements, your organization and the supplier will define applicable security controls to best fulfill them. Normally the agreed controls will be enforced by means of contracts or service agreements.

These articles will provide you with a further explanation of supplier security management:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 07, 2022

Jun 07, 2022

Suggested Topics