Due Diligence and Ongoing Monitoring

 View Only

  • 1.  ISO Certification NOT enough

    This message was posted by a user wishing to remain anonymous
    Posted 05-02-2024 11:08 AM
    This message was posted by a user wishing to remain anonymous

    The ISO 27001 is great but many areas could be de-scoped.  Just because a supplier has a valid ISO 27001 Cert doesn't mean all of the controls within 27001/2 are being implemented/operating effectively.  

    Has anyone ever asked a supplier to provide more detail on their ISO 27001 Cert?

    Would you ask for Annex A or Statement of Applicability?  I'm not sure what needs to be asked to gain the additional information/detail about what was in-scope vs what was de-scoped.  



  • 2.  RE: ISO Certification NOT enough

    Posted 05-02-2024 01:28 PM

    We ask for the ISO 27001 certificate, the Statement of Applicability, AND the underlying full audit report (which would have any findings and mitigations noted).  If they won't provide those additional documents, then maybe there's an issue to be concerned about.

     

     

    signature_2449658008

       

    Frank M. Delker, CPA, CISA, CIPM 

    Sr. Director of Compliance

    www.miteksystems.com

     

     

     

     






  • 3.  RE: ISO Certification NOT enough

    Posted 05-02-2024 02:18 PM

    An age old question.

    Replace ISO 27001 with SAS-16 (which evolved into multiple SOC reports), audited financial statements etc.

    It comes down to:

    You can ask. Unless they're contractually required to provide exactly what you request, you can't make them. (Even then...would your legal department want to sue to get it if they refuse?)

    There are two exceptions which are determined by the answer to these questions: 1) How important is your company to their business? 2) How flexible does the vendor decide to be for you regardless of the answer to number 1.

    Good luck and best wishes.


    Original Message