Consider the following Scenario,
Organization A engages a vendor for its SAAS services to manage System A. System A is not an on premise SAAS system and is managed by the vendor which is currently ISO 27001 certified.
If Organization A wishes to obtain ISO 27001 certification for System A, will Organization A be exempt from certain clauses in the ISO 27001 standard that are managed by the vendor? For example, physical security and encryption controls.
In summary, I would like to gain a better understanding on how to go about preparing my organization for ISO certification for systems which are off premise SAAS solutions managed by an ISO certified third party vendor.
For your organization to be compliant with ISO 27001 when handling off-premises systems managed by third parties (being they ISO 27001 certified or not), your organization needs to:
identify relevant risks and applicable legal requirements these suppliers must comply to
communicate such risks and legal requirements to the suppliers.
Based on the risks and legal requirements, your organization and the supplier will define applicable security controls to best fulfill them. Normally the agreed controls will be enforced by means of contracts or service agreements.
These articles will provide you with a further explanation of supplier security management: