I do have a follow up question. You explained if a risk assessment requires better security from a provider or vendor, we can influence that vendor or choose a better one.
But if that vendor was left outside of the scope, would they still be part of the risk assessment? Would it still come up?
My concern would be that if we depend on a vendor to provide a secure service, but it's not in our control so we leave it out of our scope, how would we consider and manage it? Sounds like a loophole.
I suppose we shouldn't want to leave a vital process outside of our control to begin with, but am still wondering if there could be a loophole there... I get why a scope has to be chosen early, but if the risk assessment comes after the scope, it just seems to me that a vital asset or vulnerability could be left out of consideration. Which would mean a different risk management framework would be needed apart from ISO 27001?
I might be going down the rabbit hole here. I really appreciated the webinar and guidance so far! It has helped me out a lot so far.