SoA and supplier-related risks
I have the following question:
Company A rents virtual as well as complete servers from a hosting provider. On these severs a development company develops customized software for company A. The scope of the ISMS of company A covers the whole organization and therefore also the data and applications on the servers. Company A has no own software development.
Question: Regarding 14.2.5, 14.2.6, 14.2.8, 14.2.9, can company A exclude these controls in the SoA and only apply 14.2.7, as the responsibility/risk is contractually transferred to the development company and company A does not have any own software development? The risk assessment has shown some risks with regard to the development process on the servers, but this has been treated by contractually transferring the liability to the solution provider and applying chapter 15 controls. Contractually the development company is responsible for maintaining the security of the servers. What would be the best approach here?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
In this situation, the best approach is to include controls 14.2.5, 14.2.6, 14.2.8, and 14.2.9 in the SoA, with the justification that there are unacceptable risks that require their implementation, and specify in the implementation method that they are implemented by suppliers according to signed contracts.
It is important to note that, when an organization transfer risks, it retains accountability for the risks and the best way to keep track of them is by documenting them in the SoA.
This article will provide you further explanation about risk treatment:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
Comment as guest or Sign in
Nov 12, 2019