ISO 27001 Annex : A.15.2 Supplier Service Delivery Management

Posted by Infosavvy on May 22nd, 2021

ISO 27001 Annex : A.15.2 Supplier Service Delivery Management It’s objective is to maintain, in compliance with supplier agreements, an agreed level of information security and delivery of service.

A.15.2.1  Monitoring and Review of Supplier Services

Control- Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis.

Implementation Guidance – Monitoring and review of supplier services will ensure respect for the terms and conditions of information security of the arrangement and careful monitoring of incidents and issues related to information security.

This will include a process of service management between the client and the supplier:

1. Monitor the level of service performance to verify agreement compliance;
2. Review the supplier’s service reports and schedule progress meetings on a regular basis as required by the agreements;
3. conduct supplier audits and follow-up on reported problems in conjunction with the analysis of independent auditor reports where available;
4. Facilitate and review the details regarding safety incidents as provided by agreements and any relevant guidelines and procedures;
5. review the traces of the manufacturer audit and information security reports, operational issues, failures, fault-tracking and service-related disturbances;
6. solving and managing any problems identified;
7. review the security of information aspects of the provider’s relations with their own suppliers;
8. Ensure that the company retains sufficient service capacity along with working plans to ensure that negotiated rates of service reliability are maintained following significant service or catastrophe failures.

A designated entity or service management team should be entrusted with the responsibility for managing supplier relationships. Moreover, the organization should ensure that suppliers assign responsibilities for compliance review and implementation of the agreement requirements. There should be appropriate technical expertise and resources to track compliance with the requirements of the Agreement, especially with the requirements for information security. If deficiencies in the service delivery are observed, suitable action should be taken.

To order that sensitive and essential information and information processing facilities that a company has access, stored or controlled should be kept to full control and exposure of all security aspects. In the context of a defined reporting procedure, the organization should retain visibility in security activities such as change management, vulnerability identification, and incident reporting and response to information security.

A.15.2.2  Managing Changes to Supplier Services

Control- Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.

Read More : https://info-savvy.com/iso-27001-annex-a-15-2-supplier-service-delivery-management/

------------------------------------------------------------------------------------------------------------------------

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –www.info-savvy.com