Expert Advice Community

Guest

Request for clarification on assessment report

  Quote
Guest
Guest user Created:   Nov 17, 2021 Last commented:   Nov 17, 2021

Request for clarification on assessment report

A slightly related question to the article I am reading on your web site (List of mandatory documents required by ISO 27001 (2013 revision)) - Is it reasonable to request the assessment report and the treatment plan from a vendor during a vendor risk assessment?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

Expert
Rhand Leal Nov 17, 2021

Since these documents contain very sensitive information about the risks of the vendor, it is unlikely they will share these documents with third parties.

In general, for an understanding of the security profile of a vendor compliant with ISO 27001, it is reasonable to ask for the Statement of Applicability (this document identifies at least applicable controls, justification for applicability, implementation status, and justification for the exclusion of controls from ISO 27001 Annex A).

This article will provide you a further explanation about the Statement of Applicability:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 17, 2021

Nov 17, 2021