Risk assessment question

1 - But if that vendor was left outside of the scope, would they still be part of the risk assessment? Would it still come up?

Answer: Please note that vendors must be included in the risk assessment if they can influence the confidentiality, integrity and availability of information within the scope - e.g. Amazon AWS (external vendor) can influence the data on the virtual server (that is included in the scope), therefore it needs to be included in the risk assessment. 

For further information, see: 
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

2 - My concern would be that if we depend on a vendor to provide a secure service, but it's not in our control so we leave it out of our scope, how would we consider and manage it? Sounds like a loophole. 

I suppose we shouldn't want to leave a vital process outside of our control to begin with, but am still wondering if there could be a loophole there... 

Answer: When some of your processes are handled by vendors, you can ensure control over them by defining proper information security clauses in the contracts signed with them, or by evaluating if their offered service agreements have all the clauses you need to ensure your information is protected.

For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

3 - I get why a scope has to be chosen early, but if the risk assessment comes after the scope, it just seems to me that a vital asset or vulnerability could be left out of consideration. Which would mean a different risk management framework would be needed apart from ISO 27001?

I might be going down the rabbit hole here. I really appreciated the webinar and guidance so far! It has helped me out a lot so far.

Answer: First is important to note that organizations may adopt risk management approaches that do not make use of assets and vulnerabilities (e.g., because they use a process-based, or scenario-based, risk assessment).

Considering that, if the scope is properly based on the organizational context, legal requirements, and interested parties, it is unlikely, when using the asset-threat-vulnerability risk assessment approach, that relevant assets or vulnerabilities will be no be identified. In case this occurs, you should review your initial assumptions about the scope, so there is no need to use a different risk management framework.

These articles will provide you a further explanation about context identification:

- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/