Another security breach, but this one is different...

Late last week I saw the news around local JC Penney's hit the wire - "Data of 650,000 customers at risk." Now this situation appears completely different then TJX. The data, and I assume the protection of that data, were outsourced.

So this begs the question - should it be a requirement for vendors providing services to enterprises that would include sensitive data be certified against ISO 27001?

Here is a great write-up, case study I came across of a vendor doing this. Just like we expect vendors to achieve specific Service Level Agreements on availability, performance...shouldn't we be doing the same things around security and risk?