Background:
Our client ('Client'), the managed security services division of a technology major had outsourced part of their IT operations and security monitoring functions to a third party service provider ('Vendor').

Business Motivators
The client wanted a third party, independent validation of the information security services provided to the organization by the vendor, and verify the appropriateness and adequacy of the scope of the vendor's ISO 27001 certification.

• Ensuring the appropriateness of the vendor's scope of certification and adequacy of the certified scope to the services provided by the vendor to the client helped our client demonstrate their due diligence efforts to their internal and external stakeholders, while providing much required assurance on the outsourced services our client depended on.

The Challenge
The client did not have a operational ISMS, however had a high level security policy supported by information classification standards with defined requirements. In addition, several security processes including risk assessments were performed informally - i.e., not formalized or auditable.

The vendor had an operational ISMS that was ISO 27001 certified. However, the off-shore nature of the vendor's operations implied that activities such as obtaining assurance over the scope of certification, the adequacy of the scope to the services rendered by the vendor, the effectiveness of the information security processes and controls etc. could not be easily performed by our client.

The Solution
We designed an assessment methodology including templates for the following:

• Data flow diagrams that captured classification levels of critical data and identified critical hand-off points between the client and vendor
• Mapping of requirements from client's policies and standards for handling of sensitive data against the vendor's specifications, for example, using the vendor's Statement of Applicability and Process manuals
• Tools and templates that enabled the client to perform strategic, tactical and operational level risk assessments on their own
• Check lists to ensure key risk areas are appropriately covered by the vendor's risk assessment and management processes
• Questionnaire based assessment tools to verify vendor's process adequacy and controls appropriateness
• Evidence- based reviews to ensure vendor's process and control effectiveness
• Key risk and control areas where the vendor was requested to provide performance reports and management-review reports on an ongoing basis
• Checklists for field-inspection and assessments, that could be performed by client representatives during their field-visits within a short duration and with minimal effort
• Roadmap for extending this model for other third party service providers in future
• Several of these tools and templates conformed to ISO 27001 requirements and specifications, making these tools and templates truly flexible and transferable for other situations

In addition to the design of the assessment methodology and toolkit, we also performed an assessment of the vendor's environment using the toolkit. In addition to fine-tuning the toolkit for client requirements, it also enabled us to transfer the knowledge and skills to a client team member as part of the client's 'on-the-job-training' plan.

The Result
As a result, we were able to successfully assess the vendor's capabilities and obligations while identifying areas for improvement. In addition to enabling the client to perform such reviews internally in future, the project and the results enabled the client to plan for implementing their internal ISMS and ISO 27001 certification.