Third Party SLA for out-of-scope Systems
Assign topic to the user
Sorry for the delay! Here you have our answers:
Each company should include in its ISMS scope only the assets they control directly so overlapping of assets means that they didn't set the scope correctly; and sharing the asset list is not necessary if the ISMS scope document is written precisely enough. The certificate of the ISO 27001 is only for 1 organization, so your organization is responsible of the maintenance of his certificate (in terms of his scope). At this point I recommend you to read this article "How to define the ISMS scope: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
It is necessary to study each situation, but generally in accordance with my last point, each auditor has to audit each ISMS (based on the scope of each one). So, in this scenario you can develop this SLA, but anyway there will be 2 different ISMS, with 2 different scope, and 2 different internal audit + 2 different certification audit.
Please, if you need more information, give us more information about your situation (scope of your organization, scope of your customer, etc).
Comment as guest or Sign in
Jan 12, 2016