Expert Advice Community

Guest

ISO 27001 questions

  Quote
Guest
Guest user Created:   Jun 30, 2021 Last commented:   Jun 30, 2021

ISO 27001 questions

We would be happy to accept your free offer and have our documents checked by you. I am sending you our current status.

In particular, we have the following questions:

1 - We are a translation company and have only identified one general entry - our customers - in the list 02.01 of statutory official contractual requirements. Could you tell us if this is enough?

2 - We obtain standard services from our service providers and do not always negotiate individual contracts. Is it sufficient for our certification if our service providers are themselves certified according to ISO 27001?

3 - As a small company, management and IT have double roles of responsibility, so that the separation of duties is not always possible. Did we take this into account correctly in the documents? How is this to be dealt with in general?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 30, 2021

1 - We are a translation company and have only identified one general entry - our customers - in the list 02.01 of statutory official contractual requirements. Could you tell us if this is enough?

We are not legal experts, and without more information about your scope, we cannot provide a more robust solution.

Please note that you may have other interested parties which may define requirements for information security, like suppliers, and the government. Additionally, as a translation company, you may have requirements regarding how translations should be performed (and if you do not comply with these your translation may have information integrity issues).

Considering that, we advise you to hire legal expert advice to help you identify these requirements.

For further information, see:

2 - We obtain standard services from our service providers and do not always negotiate individual contracts. Is it sufficient for our certification if our service providers are themselves certified according to ISO 27001?

It is not enough your service providers are certified according to ISO 27001. You need to ensure they treat the risks you identified as relevant that are related to them as you expect (e.g., if unauthorized access to information is a relevant risk to you, you need to ensure they treat this risk properly). This is normally treated by defining a contract or service level agreement with them including information security clauses covering the risks you want them to treat.

For further information, see:

3 - As a small company, management and IT have double roles of responsibility, so that the separation of duties is not always possible. Did we take this into account correctly in the documents? How is this to be dealt with in general?

When separation of duties is not feasible to treat relevant related risks, you need to consider compensatory controls, like monitoring activities and management supervision, to ensure that even without segregation of duties the identified risks are properly handled.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 30, 2021

Jun 30, 2021