Adding ISMS Scope and Statement of Applicability requirements for ISO 27001 Cert evidence
Why is this change being made?
💡 Provide a detailed answer to the question on why this change is being proposed, in accordance with our value of Transparency.Please add the details saying why, not just what in this section. Example:
We have discussed the topic in Slack - (copy of Slack conversation). The current process is not efficient, this MR makes the description of X more clear, and helps move Y forward.
The ISO 27001 Cert alone does not provide the same level of context as a SOC2 Type 2 report. There are standard definitions and documents that are created during the ISO 27001 certification process including the Information Security Management System (ISMS) Scope (example for GitLab) and the Statement of Applicability (SoA). Adding these as evidence requirements improves the level of assurance by validating that the services we are requesting from the vendor are covered by the ISO cert (ISMS scope) and that the policies and controls applied by the organization (SoA) meet our TPRM standards.
With this change we would also update our Attestation question in our questionnaire to the following:
| Old Language | New Language |
|---|---|
| Please attach a copy of your most recent SOC 2 report or ISO 27001 certification. | Please attach a copy of your most recent SOC 2 report or ISO 27001 certification. If providing an ISO 27001 certificate, please also provide the Scope of the ISMS and the Statement of Applicability (SoA). |
Author and Reviewer Checklist
Please verify the check list and ensure to tick them off before the MR is merged.
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
For transparency, share this MR with the audience that will be impacted. -
Team: For changes that affect your direct team, share in your group Slack channel -
Department: If the update affects your department, share the MR in your department Slack channel -
Division: If the update affects your division, share the MR in your division Slack channel -
Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR - For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter
-
Commits
- Adding ISMS Scope and Statement of Applicability requirements for ISO 27001 Cert evidence