If the SoA and ISO Certificate is provided but are both unacceptable, or when an ISO Certificate is provided without an SoA, then reject the assertion by the supplier that they have ISO with something like the following entry into cell J8 (I8 for Cloud DDQs):
Quote
The Assessor disagrees with the Supplier when they responded that they have a valid ISO27001 and Statement of Applicability.
That is because the Supplier has not provided a Statement of Applicability (SoA).
The Assessor therefore changes the cell to the left from “ISO 27001” to “No”.
That assessment means that on all of the security control questions that ISO 27001 is considered “Fully Implemented and independently assessed” for, the assessment for all of those questions is “Not in place”. That’s because this supplier was not even shown these questions because they thought they had submitted a valid ISO 27001.
The Gap Severity is automatically “Very High” for all of the ISO 27001 questions that automatically “Not in place” where the assessor has rejected the ISO 27001 .