An age old question.
Replace ISO 27001 with SAS-16 (which evolved into multiple SOC reports), audited financial statements etc.
It comes down to:
You can ask. Unless they're contractually required to provide exactly what you request, you can't make them. (Even then...would your legal department want to sue to get it if they refuse?)
There are two exceptions which are determined by the answer to these questions: 1) How important is your company to their business? 2) How flexible does the vendor decide to be for you regardless of the answer to number 1.
Good luck and best wishes.
Original Message:
Sent: 05-02-2024 02:03 PM
From: Frank Delker
Subject: ISO Certification NOT enough
We ask for the ISO 27001 certificate, the Statement of Applicability, AND the underlying full audit report (which would have any findings and mitigations noted). If they won't provide those additional documents, then maybe there's an issue to be concerned about.
Original Message:
Sent: 5/2/2024 11:59:00 AM
From: Anonymous Member
Subject: ISO Certification NOT enough
This message was posted by a user wishing to remain anonymous
The ISO 27001 is great but many areas could be de-scoped. Just because a supplier has a valid ISO 27001 Cert doesn't mean all of the controls within 27001/2 are being implemented/operating effectively.
Has anyone ever asked a supplier to provide more detail on their ISO 27001 Cert?
Would you ask for Annex A or Statement of Applicability? I'm not sure what needs to be asked to gain the additional information/detail about what was in-scope vs what was de-scoped.