Clause A.15 Supplier relationships ISO 27001 certification
Introduction about Supplier relationships
To implement an effective processes for information security, the organization need to establish a system to ensure protection of the organization’s assets that are accessible by suppliers (third party), and maintain an agreed level of information security and service delivery in line with supplier agreements to cover the Clause A.15 Supplier relationships of the standard ISO/IEC 27001:2013
Information security in supplier relationships
The objective here is to ensure protection of the organization’s assets that are accessible by suppliers.
Information security policy for supplier relationships
The organization shall ensure that the information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets are agreed with the supplier and documented.
Addressing security within supplier agreements
All relevant information security requirements are established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.
The organization shall ensure that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party.
Information and communication technology supply chain
Our organization’s agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain.
Supplier service delivery management
The objective here is to maintain an agreed level of information security and service delivery in line with supplier agreements.
Monitoring and review of supplier services
To fully comply with ISO 27001 certification requirements, the organization would regularly monitor, review and audit supplier service delivery.
Service delivery by a third party must include the agreed security arrangements, service definitions, and aspects of service management. In case of outsourcing arrangements, the organization would plan the necessary transitions (of information, information processing facilities, and anything else that needs to be moved), and would ensure that security is maintained throughout the transition period.
The services, reports and records provided by the third party are regularly monitored and reviewed, and audits (internal ISMS audits) are carried out regularly.
Monitoring and review of third party services is to ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly.
This involves a service management relationship and process between the organization and the third party to:
- monitor service performance levels to check adherence to the agreements
- review service reports produced by the third party and arrange regular progress meetings as required by the agreements
- provide information about information security incidents and review of this information by the third party and the organization as required by the agreements and any supporting guidelines and procedures
- review third party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered, and
- resolve and manage any identified problems.
The responsibility for managing the relationship with a third party could be assigned to the HOD (Purchase) as example. The HOD (Technical) is consulted by the HOD (Purchase) for all technical matters needing clarification, you should consider that you have your own choice to select the convenient candidate as per available and suitable to your organization and its structure.
In addition, the organization would ensure that the third party assigns responsibilities for checking compliance and enforcing the requirements of the agreements. Sufficient technical skills and resources are made available to monitor that information security requirements of the agreement are being met.
Appropriate action is taken when deficiencies in the service delivery are observed.
The organization maintains sufficient overall control and visibility into all security aspects for sensitive or critical information or information processing facilities accessed, processed or managed by a third party. The organization ensures that they retain visibility into security activities such as change management, identification of vulnerabilities, and information security incident reporting/response through a clearly defined reporting process, format and structure.
Managing changes to supplier services
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.
The ISO 27001 certified organization shall have process of managing changes to a third party service takes account of:
- changes made by the organization to implement:
- enhancements to the current services offered
- development of any new applications and systems
- modifications or updates of the organization’s policies and procedures, and
- new controls to resolve information security incidents and to improve security
- changes in third party services to implement:
- changes and enhancement to networks
- use of new technologies
- adoption of new products or newer versions/releases
- new development tools and environments
- changes to physical location of service facilities, and
- change of vendors.