Clause A.15 Supplier relationships ISO 27001 certification

Clause A.15 Supplier relationships of the standard ISOIEC 270012013

Introduction about Supplier relationships

To implement an effective processes for information security, the organization need to establish a system to ensure protection of the organization’s assets that are accessible by suppliers (third party), and maintain an agreed level of information security and service delivery in line with supplier agreements to cover the Clause A.15 Supplier relationships of the standard ISO/IEC 27001:2013

Information security in supplier relationships

The objective here is to ensure protection of the organization’s assets that are accessible by suppliers.

Information security policy for supplier relationships

The organization shall ensure that the information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets are agreed with the supplier and documented.

Addressing security within supplier agreements

All relevant information security requirements are established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.

The organization shall ensure that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party.

Information and communication technology supply chain

Our organization’s agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain.

Supplier service delivery management

The objective here is to maintain an agreed level of information security and service delivery in line with supplier agreements.

Monitoring and review of supplier services

To fully comply with ISO 27001 certification requirements, the organization would regularly monitor, review and audit supplier service delivery.

Service delivery by a third party must include the agreed security arrangements, service definitions, and aspects of service management. In case of outsourcing arrangements, the organization would plan the necessary transitions (of information, information processing facilities, and anything else that needs to be moved), and would ensure that security is maintained throughout the transition period.

The services, reports and records provided by the third party are regularly monitored and reviewed, and audits (internal ISMS audits) are carried out regularly.

Monitoring and review of third party services is to ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly.

This involves a service management relationship and process between the organization and the third party to:

  1. monitor service performance levels to check adherence to the agreements
  2. review service reports produced by the third party and arrange regular progress meetings as required by the agreements
  3. provide information about information security incidents and review of this information by the third party and the organization as required by the agreements and any supporting guidelines and procedures
  4. review third party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered, and
  5. resolve and manage any identified problems.

The responsibility for managing the relationship with a third party could be assigned to the HOD (Purchase) as example. The HOD (Technical) is consulted by the HOD (Purchase) for all technical matters needing clarification, you should consider that you have your own choice to select the convenient candidate as per available and suitable to your organization and its structure.

In addition, the organization would ensure that the third party assigns responsibilities for checking compliance and enforcing the requirements of the agreements. Sufficient technical skills and resources are made available to monitor that information security requirements of the agreement are being met.

Appropriate action is taken when deficiencies in the service delivery are observed.

The organization maintains sufficient overall control and visibility into all security aspects for sensitive or critical information or information processing facilities accessed, processed or managed by a third party. The organization ensures that they retain visibility into security activities such as change management, identification of vulnerabilities, and information security incident reporting/response through a clearly defined reporting process, format and structure.

Managing changes to supplier services

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

The ISO 27001 certified organization shall have process of managing changes to a third party service takes account of:

  1. changes made by the organization to implement:
    • enhancements to the current services offered
    • development of any new applications and systems
    • modifications or updates of the organization’s policies and procedures, and
    • new controls to resolve information security incidents and to improve security
  2. changes in third party services to implement:
    • changes and enhancement to networks
    • use of new technologies
    • adoption of new products or newer versions/releases
    • new development tools and environments
    • changes to physical location of service facilities, and
    • change of vendors.

Reqest a Quote for training / consultation / certification

Complete package for ISO 27001 training / consultation / certification

Our information security experts will assist your organization to obtain ISO 27001 certification according to ISO 27001 standard, our experts will give a full guidance to implement an effective information security management system and analysis your business risks, request a quote now.