- without knowing the specifics of your situation and the scope
of your ISMS, it would be difficult to offer more, but given the example
you gave about data exchange, here are some things that might come into
play from an ISO 27001 perspective:
- *Information Classification Policy*: this would typically outline the
various classifications you have in place for your data. In this case,
company B (the ISO 27001-certified company) would normally have specific
classification levels in place to distinguish the different types of data
and how to protect each group. This would be important to consider in the
exchange of data, because company B would need to ensure that the exchange
process is in line with their policies around handling and protection of
each type of data, depending on how it's classified. Some examples of
classifications are "sensitive/regulated," "restricted," "confidential,"
- *Information Labeling Policy*: this would typically set forth
requirements around how information is labeled in order to provide a visual
cue/reminder to people about the sensitivity of that information. I would
expect company B to have this kind of policy in place.
- *Information Transfer Policy*: this policy would typically outline
general requirements around how information must/mustn't be transferred
that apply to all information. Additionally, it would also normally include
specific requirements for which transfer modes (email, text, IM, phone,
fax, etc.) can/cannot be used for transferring different classes of data,
and how data must be protected depending on the mode that is being used for
the transfer (e.g. encryption).
Those are just a few that come to mind, but depending on the specifics of
your situation, there may be a few other policies from company B's ISMS
that may come into play.
Hope this is somewhat helpful.