I have a concern presently concerning ISO27001 and company ISMS policy / third party agreement guideline vs. a third party who plays a large role in company activities.
Our third party agreement guideline states that third parties shall compy with certain security requirements.
We have a provider that has stated they are not iso27001 compliant but use many ISO 27002 principals, which is fine, but we are attempting to have them sign our agreemen - they do not want to sign, and I QUOTE
"Because such a framework is subject to extensive governance, both internally as by external auditors and our overseers, security is not an area where we (they) have the liberty to accommodate and apply different security requirements per individual customer" UNQUOTE
They have also provided a statement to replace what we have asked " QUOTE
X shall at all times operate and manage the information security, reliability, resilience, and technology planning in accordance with its security control policy. In order to provide a more understandable framework for its specific business, the X security control policy is organised around the 5 key dimensions of: governance, change management, confidentiality, integrity and availability. X has implemented a number of initiatives that enhance security, including a company-wide commitment to adopt many of the principles of ISO 27002, which is the code of practice for information security management. This involves, amongst others, risk management practices in line with ISO 27005 and NIST standards. These internationally recognised standards provide wide-ranging security guidelines" UNQUOTE
How does a company get passed this in ensuring they apply to the company security requirements especially when this aspect can be audited?
Is this acceptable?
Thanks for your reply
The point here is not about ISO 27001 or ISO 27002 (or any other framework), but whether your provider really implemented security controls or not. You stated yourself that "Our third party agreement guideline states that third parties shall compy with certain security requirements.", so in this case I would specify what these security requirements are (e.g. they can connect to your network only via VPN, they have to use passwords of certain complexity, etc.), and ask them to sign an agreement where they will be obliged to comply with those requirements.
By the way, from the quote you provided "Because such a framework is subject to extensive governance, both internally as by external auditors and our overseers, security is not an area where we (they) have the liberty to accommodate and apply different security requirements per individual customer" it is obvious your provider has no idea what ISO 27001 really is.
ISO 27001 does allow liberty to accommodate different security requirements per individual customer, and the framework is not subject to extensive gov ernance (unless they write documents they don't really need). Perhaps you could send them links to these articles:
5 greatest myths about ISO 27001
5 ways to avoid overhead with ISO 27001 (and keep the costs down)