In the coming months this blog will focus on my personal experience with ISO 27001 and SOC 2 from the perspective of managing third party security risks, especially the cloud based application vendors. Having reviewed countless assurance documents in this area, I think it’s fair to say that I have seen the sheer differences of quality that can influence many organisations’ third party risk management programs.
When it comes to performing (cloud-based application) vendor security risk assessment, it is common for the potential buyer to request and review the vendor’s ISO 27001 certification document, if available of course. From there, the assessor will typically focus on: the certificate expiry date, the organisational and applications/services/infrastructure scope of the audit. Interestingly enough, there are cases where detailed review of the certificate and going extra miles can reveal an interesting fact of how many companies actually perceive and deal with security and compliance.
My partner’s ISO 27001
Any vendor would be very proud to put ISO 27001 certified logo on their website. However, when I ask them for a copy of the certification document, some vendors are actually submitting either their hosting provider’s ISO 27001 certificate or their sister company’s certificate.
Most of the time the claim is along these lines:
- our hosting provider is ISO 27001 certified, so your data is safe with us; or
- we work the same way as our sister company, so since they are ISO 27001 certified, we can guarantee you that everything we do is also secure.
If you are managing your organisation’s third party security risk management, be sure to review the ISO 27001 certificate you have received through the eagle’s eyes. And for vendors, I personally would recommend to be open and honest with your potential buyers whether you are truly certified or not. “You” in the sense of your own organisation and your own product/service. Although sometimes not being ISO 27001 certified can be a showstopper for your Sales, I’m sure there are buyers willing to work with you in some other ways to make things workable.
What is the scope?
When a vendor just started their business and jumped on the ISO 27001 bandwagon at the early stage, the certificate document is pretty straight forward. Clear location(s) and products/services covered by the certification audit. However, as the company grows bigger and more complex, things can be pretty difficult to entangle with each other and the scope of the certification audit can be very complex, even sometimes “vague”.
I have seen cases where when reviewing the security assurance for a product, the vendor submits their ISO 27001 which not clearly stating that this particular product has been clearly scoped during the audit. The product is claimed to be used by a certain service/process, and since the service/process is part of the certification audit then the product inherits the certification as well.
If you encounter a similar situation, I would recommend using another method of assessment such as threat and vulnerability scanning, security questionnaire that is focused on the product, and most importantly direct dialogue with the vendor’s engineering and security team.
For vendors, certifying each and every single of your product/service offering can be very expensive indeed. However, clear separation per product/service would be better, since I’m sure there are plenty of ways to make the overall audit process efficient and effective.
Statement of Applicability and “We comply with vs. We are certified”
I’ll discuss these two in this article.