Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

ISO 27001 Full Circle with Your Third Party Providers

ISO Certifications

My organization is seeking ISO 27001 certification but we outsource physical hosting to a third-party.

How do I have to include that organization in the scope of my Information Security Management System (ISMS) when we are not responsible for those physical and environmental controls?

blogTitle-ISO-question01.jpg

This question is common for organizations implementing an ISMS. The struggle on how to treat a critical third party service provider occurs often when an organization is in the early stages of scoping their ISMS. Some organizations attempt to scope the third party provider within their ISMS, which leads to difficulties when trying to treat the risks that might be applicable to a third party. Other organizations take a more tolerant approach and “transfer” all applicable outsourcing risk to the third party service provider, without treating the risk at all. The correct approach is actually somewhere in the middle.

Generally speaking, an organization must exclude a third party from their ISMS risk assessment process if the direct risks related to that third party cannot be reasonably treated by the organization. For example, consider the physical access controls necessary to mitigate the risk that unauthorized access could be granted to production systems. If the production systems are maintained at a third party data center, the organization is obviously not accountable for determining appropriate physical security controls, such as assigning access, granting access, monitoring access, and revoking access.

So, using the example described above, can the organization simply disregard consideration of these the issues under the guise that the third party data center is responsible for these risks and controls? No. As production systems would be considered a critical component of any organization’s ISMS, risk cannot be merely transferred to a third party. There is inherent risk in any outsourced relationship and the greater the criticality to the ISMS, the greater the risk to the organization. Management would be required to consider that risk and determine in what way that risk should be treated.

Controls applicable to the management and monitoring of third party service organizations are included within the ISO 27001 control set (specifically within A.6.2 and A.10.2). While an organization cannot include the controls of a third party provider within their ISMS, they should have a process in place to evaluate and monitor the related third party provider controls to ensure that they are acceptably implemented and meet the expectations of the organization. Evidence of that monitoring should be available as a record of the ISMS.

Though an organization’s certificate scope statement would not formally include the location and services of a third party provider, be sure that those services and locations would be included within the overall ISMS under the controls related to third-party management and monitoring. Any appropriately designed ISMS must include a risk assessment process which considers risks related to the services provided by significant third parties such as data centers.

For more information about ISO 27001 visit Schellman's website.

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.