3

I received a question as follows: Does the vendor solution need to have the ISO 27001 certification for the application itself, or just for the hosting of the platform?

In my understanding, ISO 27001 cert concerns companies/vendors and includes both solution and the hosting platform. Are they separable? In the case of SAAS solution, can I have the platform certified and the app not?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Elom ETSE
  • 39
  • 2
  • 4
    As far as I know you are correct, you can only certify companies and not products. And even if a company is certified, there is a statement of applicability, which clearly states which parts of the company is certified. It doesn't have to be the whole company. – Martin Weil Nov 18 '19 at 07:40

1 Answers1

1

ISO 27001 is about how security is managed, not how secure a product is. It would, therefore, be very difficult to define a particular app as the scope for certification if the infrastructure is also under the company's control.

You manage the security of the infrastructure and then develop on top of that secure foundation. That's the intention of the certification.

If your scope of control is only the development of the app, then you still certify the development company, not the app.

That isn't to say that you couldn't convince some assessor somewhere to do certify you with just the app as the scope. I'm sure you could. But any potential partner/customer/stakeholder looking at the certification's scope will not take the certification seriously and start to doubt your competence more than if you had no certification to begin with.

schroeder
  • 123,438
  • 55
  • 284
  • 319