Last Updated on September 15, 2020
Getting an ISO 27001 certificate from a vendor is an overarching statement that, yes, they have an information security management system (ISMS) that meets the requirements of the ISO 27001 standard. But what is the scope of that certified ISMS? And what is explicitly not in scope? Is there anything critical to your own security posture that is out of scope? Is the vendor’s ISMS mature and robust, or newly certified and just getting off the ground?
This vendor risk management concern came up in an episode of The Virtual CISO Podcast featuring ISO 27001 implementation expert Rich Stever. Rich is GRC Practice Lead at Pivot Point Security, and heads up our team’s implementation and advisory services for ISO 27001, ISO 27701, SOC 2, HITRUST, FedRAMP and other frameworks.
Rich explains: “When clients are looking at a particular third party, they’ll ask for their ISO 27001 certification. A lot of times they’re just being handed the certificate. Well, how do you know what controls are in play? How do you know what controls are applicable? What’s the scope?”
Rich suggests that in addition to asking for the ISO 27001 certification, you also request specific artifacts (or the closest thing they have) associated with the vendor’s ISMS. These include:
- The statement of applicability. This document is basically derived from the risk assessment. The risk assessment dictates what controls (typically as defined in ISO 27001 Annex A) you need to implement. The statement of applicability goes a step further to describe what controls are in scope and how robust those controls need to be to mitigate the assessed risk, as well as what controls are explicitly out of scope.
- The scope statement, which defines the scope of the vendor’s ISMS (sites, systems, processes, people, etc.).
With these additional documents in hand, you can better evaluate whether a vendor’s ISMS will really keep your data secure and/or align with your InfoSec policies and compliance requirements.
Look for “red flags” like a scope statement that’s out of date, or a site that’s in scope according to the scope statement but has no physical controls listed. Check also for controls that are explicitly excluded (“carved out”) from the ISMS that would be critical to your partnership.
An example we see more often than you might expect is a SaaS vendor that excludes from its ISMS scope key Annex A controls regarding secure web application development and testing. This is probably not good news for clients using that application.
You may not have the time or the expertise to do a big deep-dive into your vendor’s ISO 27001 artifacts. But if you really want to know who you’re working with, giving them at least a quick read can open a big window onto potential areas of concern. Or they can give you greater peace of mind that a vendor is verifiably committed to keeping your data secure.
This podcast episode with Rich Stever will be of interest to anyone who wants more ISO 27001 “street smarts”—whether you’re looking to get certified or evaluate certified vendors.
To listen to the full episode, click here. If you don’t use Apple Podcasts, click here.