ISO27001 and the Supplier relationship requirements
Like many of the ISO standards ISO27001 for information security management systems needs you to have a relationship with your supplier, that relationship of course should be one of mutual benefit and respect what Annex clause A15 does however set up the requirements for implementing some targets in terms of information security requirements.
A.15.1 Information security in supplier relationships
The purpose of this section of annex clause 15 is all around the requirement that as an organisation, you need to protect your information security assets that the supplier has access to. There are 3 areas here that the organisation needs to consider:
A.15.1.1. Information security policy for supplier relationships – unlike other policies, this isn't going to be a 1 overarching document. While you may decide that you want to have a supplier relationships policy, you will need to have individual documented agreements with each supplier specifically managing the risks associated with the supplier's access to information security assets. That means that you will need to look at your information security assets that you outlined in Annex Clause A8 and ensure you have the controls in place for those items.
A.15.1.2 Address security agreements within supplier agreements – this requirement builds on your information security policy for supplier relationships by making you include the requirements for your information security into your supplier agreements. Specifically, you need to be thinking about all items that they have access to, process, store, communicate or provide infrastructure components for your organisation's information.
A.15.1.3 information and the communication technology supply chain – This requirement is still about your supplier agreements, and it's looking for you to include requirements for your supplier to address any information security risks that are linked to the information and communication services or the product supply chain that are linked to what they as a supplier provide.
A.15.2. Supplier service delivery management
The purpose of this section is designed to help the organisation manage the supplier relationship at an agreed level within the supplier agreements. There are only 2 requirements here, but they are important ones:
A.15.2.1 Monitoring and review of supplier services – It's all well and good writing requirements for your information security management system into your supplier agreements, but if you don't monitor and review the performance, those requirements are worthless. This part of the Annex clause specifically requires you to implement regular management of your supplier in terms of monitoring, review their performance and of course audit them to ensure they are doing what you require.
A.15.2.2 Managing changes to the supplier services – this final section of ISO27001 annex clause 15 is about managing change. Making sure your supplier is aware of any changes you make is important, equally important however is that the supplier keeps you informed of any changes they make. This should include things like maintenance, information security policies or processes and controls. Where changes are made, there should be a review of the initial risk assessment you undertook for that factor and consider if the changes impact those risk levels, and if you are happy with those changes.
© Many Caps Consulting | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.