Expert Advice Community

Guest

Question - ISO 27001

  Quote
Guest
Guest user Created:   Apr 19, 2022 Last commented:   Apr 19, 2022

Question - ISO 27001

Hello – I am a partner with you and have the following situation I hope you could advise on….. I have a client who has 1 Director and no employees, and he uses Contractors (Suppliers) to perform all the work for him – and he is looking for ISO 27001 certification His business is a website registration system, and it is mostly Software/website development. Questions: 1. How do you put in place HR systems when there are no employees ? Would this be more about Supplier management ? and supplier worker management ? 2.  With Software Development - Would they either:  (a) require suppliers to follow his requirements or ISO Compliant software development manuals. OR.  (b)  require the subsidiary to produce there software development manual (which meets the requirements of ISO 27001) – which he approves? I hope you can advise?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 19, 2022

1. How do you put in place HR systems when there are no employees ? Would this be more about Supplier management ? and supplier worker management ?

Since your customer uses contractors, his relationship with them and their employees will be through supplier management, so regarding ISO 27001 implementation, this will mostly cover controls from ISO 27001 Annex A section 15 Supplier relationships.

For further information, see:

2.  With Software Development - Would they either:  (a) require suppliers to follow his requirements or ISO Compliant software development manuals. OR.  (b)  require the subsidiary to produce there software development manual (which meets the requirements of ISO 27001) – which he approves?

In this situation first, you need to ensure, by means of security clauses in contracts or service agreements, that risks you consider relevant, and legal requirements applicable to his organization, related to software development are properly treated by the supplier.

Considering that, alternative (a) is more adequate because in alternative (b) you only consider the standard's requirements, not those of your customer.

These articles will provide you with further explanation about security clauses and software development:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 19, 2022

Apr 19, 2022