My organization is seeking ISO 27001 certification but we outsource physical hosting to a third-party.
How do I have to include that organization in the scope of my Information Security Management System (ISMS) when we are not responsible for those physical and environmental controls?
This question is common for organizations implementing an ISMS. The struggle on how to treat a critical third party service provider occurs often when an organization is in the early stages of scoping their ISMS. Some organizations attempt to scope the third party provider within their ISMS, which leads to difficulties when trying to treat the risks that might be applicable to a third party. Other organizations take a more tolerant approach and “transfer” all applicable outsourcing risk to the third party service provider, without treating the risk at all. The correct approach is actually somewhere in the middle.
Generally speaking, an organization must exclude a third party from their ISMS risk assessment process if the direct risks related to that third party cannot be reasonably treated by the organization. For example, consider the physical access controls necessary to mitigate the risk that unauthorized access could be granted to production systems. If the production systems are maintained at a third party data center, the organization is obviously not accountable for determining appropriate physical security controls, such as assigning access, granting access, monitoring access, and revoking access.
So, using the example described above, can the organization simply disregard consideration of these the issues under the guise that the third party data center is responsible for these risks and controls? No. As production systems would be considered a critical component of any organization’s ISMS, risk cannot be merely transferred to a third party. There is inherent risk in any outsourced relationship and the greater the criticality to the ISMS, the greater the risk to the organization. Management would be required to consider that risk and determine in what way that risk should be treated.
Controls applicable to the management and monitoring of third party service organizations are included within the ISO 27001 control set (specifically within A.6.2 and A.10.2). While an organization cannot include the controls of a third party provider within their ISMS, they should have a process in place to evaluate and monitor the related third party provider controls to ensure that they are acceptably implemented and meet the expectations of the organization. Evidence of that monitoring should be available as a record of the ISMS.
Though an organization’s certificate scope statement would not formally include the location and services of a third party provider, be sure that those services and locations would be included within the overall ISMS under the controls related to third-party management and monitoring. Any appropriately designed ISMS must include a risk assessment process which considers risks related to the services provided by significant third parties such as data centers.
For more information about ISO 27001 visit Schellman's website.
About the Author
Ryan Mackie is a Principal and ISO Certification Services Practice Director at Schellman & Company, LLC. Ryan manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery and also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000, and ISO 22301 as well as CSA STAR certification services. He has over 18 years of experience. Ryan also is an active member of the CSA and site on the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.More Content by Ryan Mackie