Third Party Providers vs. ISMS Policy conflictions
Assign topic to the user
Paula,
The point here is not about ISO 27001 or ISO 27002 (or any other framework), but whether your provider really implemented security controls or not. You stated yourself that "Our third party agreement guideline states that third parties shall compy with certain security requirements.", so in this case I would specify what these security requirements are (e.g. they can connect to your network only via VPN, they have to use passwords of certain complexity, etc.), and ask them to sign an agreement where they will be obliged to comply with those requirements.
By the way, from the quote you provided "Because such a framework is subject to extensive governance, both internally as by external auditors and our overseers, security is not an area where we (they) have the liberty to accommodate and apply different security requirements per individual customer" it is obvious your provider has no idea what ISO 27001 really is.
ISO 27001 does allow liberty to accommodate different security requirements per individual customer, and the framework is not subject to extensive gov ernance (unless they write documents they don't really need). Perhaps you could send them links to these articles:
5 greatest myths about ISO 27001
5 ways to avoid overhead with ISO 27001 (and keep the costs down)
Comment as guest or Sign in
Jan 12, 2016