0

Suppose that in the ISMS scope I have the management of services provided by some cloud provider, i.e the provider provides me a virtual server for performing certain critical operations.

I would like to ask what I need to get as evidence of security compliance for the following scenarios:

a) Cloud provider is ISO27001 certified. I guess I only need to show that the relevant services are in the scope of its certificate that is public.
b) Cloud provider is following ISO27001 but is NOT certified: Do I need to have an SLA for providing me the internal audit results or allow me to do a pentest on their site?
c) Does not follow ISO27001 best practices (or at least does not claim): Do I need to have an SLA and their authorization to perform a pentest?

In case the cloud provider does not accept do I only say it is an acceptable risk?

WoJ
  • 8,957
  • 2
  • 32
  • 51
Hashed_Then_Encrypted
  • 83
  • 5

1 Answers1

1

a) is clear: if the outsourced service is the scope of their certification then you can offload to them.

b) and c) are the same from a pure ISO perspective: they are not certified and it is up to you to ensure that this part is appropriately covered.

Appropriately means that you have assessed the risk and acted upon it (accept, mitigate, insure). How you do it is up to you (and will be hopefully agreed upon by the auditor), this may include contracting the existence of their audit results (an SLA would be part of the contract), or the ability to perform your own.

WoJ
  • 8,957
  • 2
  • 32
  • 51