Archive for April, 2012

ISO 27001 Full Circle with Your Third Party Providers

Posted by Ryan Mackie
April 26th, 2012

My organization is seeking ISO 27001 certification but we outsource physical hosting to a third-party. 

How do I have to include that organization in the scope of my Information Security Management System (ISMS) when we are not responsible for those physical and environmental controls?

This question is common for organizations implementing an ISMS.  The struggle on how to treat a critical third party service provider occurs often when an organization is in the early stages of scoping their ISMS.  Some organizations attempt to scope the third party provider within their ISMS, which leads to difficulties when trying to treat the risks that might be applicable to a third party.  Other organizations take a more tolerant approach and “transfer” all applicable outsourcing risk to the third party service provider, without treating the risk at all.  The correct approach is actually somewhere in the middle.

Generally speaking, an organization must exclude a third party from their ISMS risk assessment process if the direct risks related to that third party cannot be reasonably treated by the organization.  For example, consider the physical access controls necessary to mitigate the risk that unauthorized access could be granted to production systems.  If the production systems are maintained at a third party data center, the organization is obviously not accountable for determining appropriate physical security controls, such as assigning access, granting access, monitoring access, and revoking access.

So, using the example described above, can the organization simply disregard consideration of these the issues under the guise that the third party data center is responsible for these risks and controls?  No.  As production systems would be considered a critical component of any organization’s ISMS, risk cannot be merely transferred to a third party.  There is inherent risk in any outsourced relationship and the greater the criticality to the ISMS, the greater the risk to the organization.  Management would be required to consider that risk and determine in what way that risk should be treated.

Controls applicable to the management and monitoring of third party service organizations are included within the ISO 27001 control set (specifically within A.6.2 and A.10.2).  While an organization cannot include the controls of a third party provider within their ISMS, they should have a process in place to evaluate and monitor the related third party provider controls to ensure that they are acceptably implemented and meet the expectations of the organization.  Evidence of that monitoring should be available as a record of the ISMS.

Though an organization’s certificate scope statement would not formally include the location and services of a third party provider, be sure that those services and locations would be included within the overall ISMS under the controls related to third-party management and monitoring.  Any appropriately designed ISMS must include a risk assessment process which considers risks related to the services provided by significant third parties such as data centers.

For more information about ISO 27001 visit BrightLine’s website.

SocialTwist Tell-a-Friend

Tags: ,
Posted in ISO 27001 / 27002, SSAE 16 / ISAE 3402 | No Comments »

BrightLine is Now an Approved QSA Firm in All Global Regions

Posted by admin
April 23rd, 2012

TAMPA, Fla.–(BUSINESS WIRE) -BrightLine is pleased to announce that it is now an accredited Payment Card Industry Qualified Security Assessor (PCI QSA) company for all six international servicing markets.  BrightLine was previously accredited to provide services in North America, Canada, Latin America, and the Central Europe, Middle East, and Africa (CEMEA) markets.  With the addition of Western Europe and Asia Pacific, BrightLine becomes one of only five companies approved to provide PCI DSS validation services globally.

“In the course of providing services to clients in nearly 25 countries, BrightLine has obtained accreditation each time we enter a new region,” stated Douglas Barbin, PCI Practice Leader at BrightLine. “Our QSAs now have a reach that matches the footprint of our clients, a global one.”

Originally specializing in SAS 70 audits, now known as SSAE 16 (SOC 1) examinations, BrightLine’s service lines expanded to include PCI DSS validation and ISO 27001 certification services. Offering clients a unique opportunity meet multiple compliance objectives through a single vendor, BrightLine performs approximately 500 assessment projects a year for industry leading service organizations, including globally-located data centers and cloud computing providers.

“On a daily basis, clients are realizing the benefits of using one assessment firm to achieve their SOC, PCI, and ISO objectives,” stated Chris Schellman, President of BrightLine. “Our integrated approach allows companies to optimize their resources and drastically reduce the cost and operational burden of a multi-auditor approach.”

Organizations seeking further information on PCI DSS validation, SOC reporting options, or ISO 27001 certification may visit www.brightline.com.

SocialTwist Tell-a-Friend

Tags: ,
Posted in News | No Comments »