Font size: +
3 minutes reading time (525 words)

ISO27001 and the Supplier relationship requirements

Like many of the ISO standards ISO27001 for information security management systems needs you to have a relationship with your supplier, that relationship of course should be one of mutual benefit and respect what Annex clause A15 does however set up the requirements for implementing some targets in terms of information security requirements.  

A.15.1 Information security in supplier relationships 

The purpose of this section of annex clause 15 is all around the requirement that as an organisation, you need to protect your information security assets that the supplier has access to. There are 3 areas here that the organisation needs to consider:

A.15.1.1. Information security policy for supplier relationships – unlike other policies, this isn't going to be a 1 overarching document. While you may decide that you want to have a supplier relationships policy, you will need to have individual documented agreements with each supplier specifically managing the risks associated with the supplier's access to information security assets. That means that you will need to look at your information security assets that you outlined in Annex Clause A8 and ensure you have the controls in place for those items.

A.15.1.2 Address security agreements within supplier agreements – this requirement builds on your information security policy for supplier relationships by making you include the requirements for your information security into your supplier agreements. Specifically, you need to be thinking about all items that they have access to, process, store, communicate or provide infrastructure components for your organisation's information.

A.15.1.3 information and the communication technology supply chain – This requirement is still about your supplier agreements, and it's looking for you to include requirements for your supplier to address any information security risks that are linked to the information and communication services or the product supply chain that are linked to what they as a supplier provide.

A.15.2. Supplier service delivery management

The purpose of this section is designed to help the organisation manage the supplier relationship at an agreed level within the supplier agreements. There are only 2 requirements here, but they are important ones:

A.15.2.1 Monitoring and review of supplier services – It's all well and good writing requirements for your information security management system into your supplier agreements, but if you don't monitor and review the performance, those requirements are worthless. This part of the Annex clause specifically requires you to implement regular management of your supplier in terms of monitoring, review their performance and of course audit them to ensure they are doing what you require.

A.15.2.2 Managing changes to the supplier services – this final section of ISO27001 annex clause 15 is about managing change. Making sure your supplier is aware of any changes you make is important, equally important however is that the supplier keeps you informed of any changes they make. This should include things like maintenance, information security policies or processes and controls. Where changes are made, there should be a review of the initial risk assessment you undertook for that factor and consider if the changes impact those risk levels, and if you are happy with those changes.

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Mango Logo

Simplify ISO27001 with Mango

Stop waiting time with multiple different systems, see how Mango can manage all of your ISO27001 requirements in one fully integrated solution.

Make a booking now to see how simple it is to integrate your systems, reduce paperwork, save time and be compliant.
Mango QHSE Compliance Software made simple
Reclaim your precious time
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.


© Many Caps Consulting | All Rights Reserved

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

ISO27001 and the System acquisition, development, ...

Related Posts



No comments made yet. Be the first to submit a comment
Sunday, 26 June 2022

Captcha Image

Subscribe to Our Newsletter

To Get Regular Updates on ISO | Lean | Free Resources
Sorry we need your name
Invalid Input - Sorry we need your last name here
Sorry Can you just check your email address as well
Invalid Input

Latest Blog Post

Trees That Count
memeber of New Zealand Institute of Directors