ISO 27001 questions
Assign topic to the user
1 - We are a translation company and have only identified one general entry - our customers - in the list 02.01 of statutory official contractual requirements. Could you tell us if this is enough?
We are not legal experts, and without more information about your scope, we cannot provide a more robust solution.
Please note that you may have other interested parties which may define requirements for information security, like suppliers, and the government. Additionally, as a translation company, you may have requirements regarding how translations should be performed (and if you do not comply with these your translation may have information integrity issues).
Considering that, we advise you to hire legal expert advice to help you identify these requirements.
For further information, see:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
2 - We obtain standard services from our service providers and do not always negotiate individual contracts. Is it sufficient for our certification if our service providers are themselves certified according to ISO 27001?
It is not enough your service providers are certified according to ISO 27001. You need to ensure they treat the risks you identified as relevant that are related to them as you expect (e.g., if unauthorized access to information is a relevant risk to you, you need to ensure they treat this risk properly). This is normally treated by defining a contract or service level agreement with them including information security clauses covering the risks you want them to treat.
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
3 - As a small company, management and IT have double roles of responsibility, so that the separation of duties is not always possible. Did we take this into account correctly in the documents? How is this to be dealt with in general?
When separation of duties is not feasible to treat relevant related risks, you need to consider compensatory controls, like monitoring activities and management supervision, to ensure that even without segregation of duties the identified risks are properly handled.
For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
Comment as guest or Sign in
Jun 30, 2021