Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

SoA and outsourced IT

  Quote
Guest
Guest user Created:   Jul 18, 2017 Last commented:   Jul 18, 2017

SoA and outsourced IT

Given our reliance on third party IT, should we include controls they use on our behalf (such as malware detection or logging) in our list of controls for purposes of the Statement of Applicability? They are certainly in place but we do not implement or control them, so we are not sure if they should be in our SoA.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 18, 2017

Answer: You should include the controls in the SoA. Even if they are implemented by your IT service provider, including them in the SoA is a good idea because this way your organization will have a clear overview about who will implement which control, making easier the job to keep track of all controls, who is responsible and what is their status.

The proper way to do that is to state the control as applicable and indicate which third party will implement the control and what will be the legal basis for it (e.g., implemented by third-party according service agreement).

You should also note that by doing this way you have to ensure to state the control A.15.1.2 (Addressing security within supplier agreements) as applicable and retain as evidence the service agreement with the security clauses your provider must comply with. These security clauses basically refer to the controls your organization states as applicable in your SoA and that you want the provider to apply.

These articles will provide you further explanation about controls in outsourced IT:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

These materials will also help you regarding controls in outsourced IT:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 18, 2017

Jul 18, 2017

Suggested Topics

Guest user Created:   Feb 01, 2019 ISO 27001 & 22301
Replies: 1
0 0

SoA alteration

Guest user Created:   Jul 07, 2021 ISO 27001 & 22301
Replies: 1
0 1

Scope question

Guest user Created:   Oct 11, 2018 ISO 27001 & 22301
Replies: 1
0 0

Certified providers