I'm a sysadmin and have recently started receiving requests for ISO 27001 documentation, something I've never dealt with before. How do you handle these requests? Do you just send over the certification, or is there a specific protocol you follow? Also, what if your organization isn't ISO 27001 certified?
5 Answers
ISO 27001 requests are becoming more common, especially for handling sensitive data. If you lack that certification, be prepared for more extensive inquiries about your security protocols. Some might even settle for a detailed security questionnaire in lieu of certification.
It's a business issue rather than a technical one. If you’re in this situation, it's important to escalate it to management. The work for certification can be intensive, so prepare for a busy time if clients are pressing for it.
Most companies just share their ISO 27001 certificate if they have one. If you’re not certified and they request it, unfortunately, you’ll need to get certified. It's quite a hassle, but necessary in many cases.
If you're certified, ensure that any relevant NDAs are signed before sending documentation. Typically, you’d share approved documents from management, like audit findings. If not certified, you might need to provide more details about your information security procedures instead.
You can't really fake it with ISO documents. If you're certified, just hand over the certificate. If not, you're upfront about it, and that usually ends the discussion.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures