Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Third Party SLA for out-of-scope Systems

  Quote
Guest
Guest post Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Third Party SLA for out-of-scope Systems

Hello Dejan, We are currently ISO 27001 certified and the ISMS scope also includes our customers' systems (hosted at customer's premises as well as outside customer's premises). The same customer has also initiated their ISO 27001 Compliance initiative with the scope of "All IT Services". Now in this case to avoid duplicated ISO audits and remediation, what is the possible way forward. Should we share our asset list with them to ensure there are no duplicates across our asset lists. So they go ahead with the audit of assets on their list (i.e. the assets they manage and operate) and we continue with the surveillance audit of our asset list (i.e. the assets we manage and operate). Meaning we don't have to undergo end of year audit twice including all the documentation, records and controls implementation etc. In other words we as System Owners (of customer's systems who are the data and business owners) continue to be responsible for compliance. Also is it possible to develop an SLA between us in such a way that customer's ISO auditors do not carry out an exhaustive audit of our assets. For e.g. can we include the statement in the SLA that the service provider (i.e. us) is ISO 27001 certified and hence we avoid the duplication. We, as service provider, can always produce information to demonstrate compliance though. With the above approach, the customer would still be able to identify themselves as ISO certified. Please advise. Regards.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 12, 2016

Sorry for the delay! Here you have our answers:

Each company should include in its ISMS scope only the assets they control directly – so overlapping of assets means that they didn't set the scope correctly; and sharing the asset list is not necessary if the ISMS scope document is written precisely enough. The certificate of the ISO 27001 is only for 1 organization, so your organization is responsible of the maintenance of his certificate (in terms of his scope). At this point I recommend you to read this article "How to define the ISMS scope”: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
It is necessary to study each situation, but generally in accordance with my last point, each auditor has to audit each ISMS (based on the scope of each one). So, in this scenario you can develop this SLA, but anyway there will be 2 different ISMS, with 2 different scope, and 2 different internal audit + 2 different certification audit.
 
Please, if you need more information, give us more information about your situation (scope of your organization, scope of your customer, etc).

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016