Transferring Risk using Insurance
Hi Dejan,
As discussed with you during my meeting with you, I have 2 non-conformities for my ISO 27001 audit. One of them was A.15.2 - Supplier Relationship. We failed on A15.2.1 - Auditor notes "No evidence of monitoring and review of supplier services."
I read your blog on risk mitigation - https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
My question for you is that we have Insurance. Can we transfer the risk of A15.2 using the insurance? Please let me know.
Assign topic to the user
Yes, in some cases you can transfer the risk to insurance (e.g. for a risk of fire, you can insure your physical assets), however such insurance can only cover a smaller number of your risks. Therefore, you cannot expect to treat all risks through risk transfer using the insurance.
For the risks for which you use the insurance, you will not need to perform monitoring and review of supplier services.
Comment as guest or Sign in
May 04, 2021