Requirements for MSP Company Regarding Supplier Security Policy

ISO 27001 does not specify security requirements for particular companies or industries - instead, security requirements are defined by each company based on risk assessment and third-party requirements.

Considering that, you need to perform a risk assessment considering the exchanged data to identify if you have any relevant risks that the MSP needs to handle (e.g., data loss due to a disaster), as well as any legal requirements you have to enforce into this MSP (e.g., a regulation that enforces your organization to ensure suppliers to protect the information they handle in organization’s name).

The common scenario is the definition of information security clauses in SLAs or contracts signed with such MSPs.

These articles will provide you with further explanation:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Can you direct me to the area where the IS27001 approved accessor are?

I’m assuming you are looking for accredited certification bodies.

Considering that, please note that there is no central list of ISO 27001 certification bodies site. The main certification bodies for ISO 27001 are:

• BSI: https://www.bsigroup.com
• Bureau Veritas: https://www.dnvgl.com/
• DNV: https://www.dnvgl.com/services?ServiceTypes=136423
• SGS: www.sgs.com/
• TUV: www.tuv.com

This article will provide you with further explanation about selecting a certification body:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/