ISO 27001 Annex : A.15 Supplier Relationships

Posted by Infosavvy on May 19th, 2021

ISO 27001 Annex : A.15 Supplier Relationships in this article explaining Information Security in Supplier Relationships, and there policies .

A.15.1  Information Security in Supplier Relationships

It’s objective is ensuring the security of assets accessible to suppliers of the organization.

A.15.1.1  Information Security Policy for Supplier Relationships

Control- The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.

“The company becomes more safe and happy if it has better Stakeholders.”

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Implementation Guidance – In order to specifically address supplier access to information from the organization, the organization must identify and require security information controls in its policy. These checks should address the organization’s processing and procedures as well as the processes and procedures to be abided by the organization, including the following points: 

1. Identification and reporting of supplier forms, e.g. IT services, logistics services, financial services, IT infrastructure components, which are accessible to the organization;
2. standardized supplier relationship management framework and lifecycle;
3. define the types of access to information allowed by distinct types of suppliers and monitor and control the access;
4. Minimum information protection standards for any category of information and method of access to provide the basis for each supplier agreement based on the business needs and requirements and risk profile of the organization;
5. Processes and procedure for monitoring compliance, including third-party evaluation and product validation, with defined information security standards for any type of supplier and type of access;
6. Controls for accuracy and completeness of information and transmission received by any party to ensure the quality of information;
7. the types of obligations applicable for providers to protect information of the organization;
8. handling of customer control events and contingencies, including company and customer responsibilities;
9. Resilience and, if necessary, recovery and contingency plans to ensure the availability by all parties of information or processing;
10. Training in awareness of applicable policies, processes and procedures for the organization staff involved in acquisitions;
11. Training in awareness of how the organization’s staff interacts with supplier staff on appropriate rules of engagement and behavior based on provider type and level of supplier access to the system and information of the organization;
12. Conditions to document the security of information and control requirements in an agreement signed by both parties;
13. Management and maintenance of the information security during the transition phase of the required information changes, information processing, and everything else that needs transfer.