A common concern for organizations implementing ISO 27001 are third party vendors and outsourcing things like physical hosting. This poses a question on how to include this third-party organization in the scope of their Information Security Management System (ISMS).
Some organizations attempt to include the third-party provider within their ISMS, which can lead to difficulties in managing the risks associated with the third party. On the other hand, some organizations take a more hands-off approach and transfer all outsourcing risks to the third-party provider without addressing them at all. The correct approach lies somewhere in the middle.
Normally, if the direct risks related to a third-party provider cannot be reasonably managed by the organization, they should be excluded from the ISMS risk assessment process. For example, if the production systems are maintained at a third-party data center, the organization cannot be held accountable for determining physical security controls. However, this doesn't mean that the organization can simply disregard these risks and controls.
Since production systems are a critical component of any organization's ISMS, the risk associated with outsourcing cannot be completely transferred to the third party. There is inherent risk in any outsourced relationship, and the more critical the service is to the ISMS, the greater the risk to the organization. Management must acknowledge this risk and determine how it should be addressed.
ISO 27001 includes controls within its standard that pertain to the management and monitoring of third-party service providers (A.6.2 and A.10.2). While an organization cannot include the controls of a third party within its ISMS, there should be a process in place to evaluate and monitor the third-party provider's controls to ensure they meet the organization's expectations. This monitoring should be documented as part of the ISMS records. Although a formal certificate scope statement wouldn't include the location and services of the third-party provider, these services and locations should be incorporated into the overall ISMS under the controls related to third-party management and monitoring. An adequately designed ISMS should conduct a risk assessment that considers risks associated with significant third-party services, such as data centers.
Quick & Simple
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you