{"id":13584,"date":"2021-12-30T00:53:35","date_gmt":"2021-12-29T21:53:35","guid":{"rendered":"https:\/\/www.arab-academy.com\/?p=13584"},"modified":"2024-10-23T00:14:49","modified_gmt":"2024-10-22T21:14:49","slug":"supplier-relationships-iso-27001","status":"publish","type":"post","link":"https:\/\/www.arab-academy.com\/en\/supplier-relationships-iso-27001\/","title":{"rendered":"Clause A.15 Supplier relationships of the standard ISO\/IEC 27001:2013"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column width=&#8221;3\/4&#8243;][vc_custom_heading text=&#8221;Clause A.15 Supplier relationships ISO 27001 certification&#8221; font_container=&#8221;tag:h1|text_align:left&#8221; use_theme_fonts=&#8221;yes&#8221; css=&#8221;.vc_custom_1638529958731{margin-bottom: 32px !important;}&#8221;][vc_single_image image=&#8221;13588&#8243; img_size=&#8221;large&#8221;][vc_column_text]<\/p>\n<h2><b>Introduction about Supplier relationships<br \/>\n<\/b><\/h2>\n<div>\n<p style=\"text-align: justify;\">To implement an effective processes for information security, the organization need to establish a system to ensure protection of the organization\u2019s assets that are accessible by suppliers (third party), and maintain an agreed level of information security and service delivery in line with supplier agreements to cover the Clause A.15 Supplier relationships of the standard <a href=\"https:\/\/www.arab-academy.com\/en\/iso-27001-information-security-management-system\/\">ISO\/IEC 27001:2013<\/a><\/p>\n<\/div>\n<h3><strong>Information security in supplier relationships<\/strong><\/h3>\n<p>The objective here is to ensure protection of the organization\u2019s assets that are accessible by suppliers.<\/p>\n<h3><a href=\"https:\/\/www.arab-academy.com\/en\/iso-27001-information-security-management-system-policy\/\">Information security policy<\/a> for supplier relationships<\/h3>\n<p style=\"text-align: justify;\">The organization shall ensure that the information security requirements for mitigating the risks associated with supplier\u2019s access to the organization\u2019s assets are agreed with the supplier and documented.<\/p>\n<h3>Addressing security within supplier agreements<\/h3>\n<p style=\"text-align: justify;\">All relevant information security requirements are established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization\u2019s information.<\/p>\n<p style=\"text-align: justify;\">The organization shall ensure that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party.<\/p>\n<h3>Information and communication technology supply chain<\/h3>\n<p style=\"text-align: justify;\">Our organization\u2019s agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain.<\/p>\n<h2><strong>Supplier service delivery management<\/strong><\/h2>\n<p>The objective here is to maintain an agreed level of information security and service delivery in line with supplier agreements.<\/p>\n<h2>Monitoring and review of supplier services<\/h2>\n<p>To fully comply with <a href=\"https:\/\/www.arab-academy.com\/en\/iso-27001-certification-in-egypt\/\">ISO 27001 certification<\/a> requirements, the organization would regularly monitor, review and audit supplier service delivery.<\/p>\n<p style=\"text-align: justify;\">Service delivery by a third party must include the agreed security arrangements, service definitions, and aspects of service management. In case of outsourcing arrangements, the organization would plan the necessary transitions (of information, information processing facilities, and anything else that needs to be moved), and would ensure that security is maintained throughout the transition period.<\/p>\n<p style=\"text-align: justify;\">The services, reports and records provided by the third party are regularly monitored and reviewed, and audits (internal ISMS audits) are carried out regularly.<\/p>\n<p style=\"text-align: justify;\">Monitoring and review of third party services is to ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly.<\/p>\n<p style=\"text-align: justify;\">This involves a service management relationship and process between the organization and the third party to:<\/p>\n<ol>\n<li>monitor service performance levels to check adherence to the agreements<\/li>\n<li>review service reports produced by the third party and arrange regular progress meetings as required by the agreements<\/li>\n<li>provide information about information security incidents and review of this information by the third party and the organization as required by the agreements and any supporting guidelines and procedures<\/li>\n<li>review third party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered, and<\/li>\n<li>resolve and manage any identified problems.<\/li>\n<\/ol>\n<p style=\"text-align: justify;\">The responsibility for managing the relationship with a third party could be assigned to the HOD (Purchase) as example. The HOD (Technical) is consulted by the HOD (Purchase) for all technical matters needing clarification, you should consider that you have your own choice to select the convenient candidate as per available and suitable to your organization and its structure.<\/p>\n<p style=\"text-align: justify;\">In addition, the organization would ensure that the third party assigns responsibilities for checking compliance and enforcing the requirements of the agreements. Sufficient technical skills and resources are made available to monitor that information security requirements of the agreement are being met.<\/p>\n<p style=\"text-align: justify;\">Appropriate action is taken when deficiencies in the service delivery are observed.<\/p>\n<p style=\"text-align: justify;\">The organization maintains sufficient overall control and visibility into all security aspects for sensitive or critical information or information processing facilities accessed, processed or managed by a third party. The organization ensures that they retain visibility into security activities such as change management, identification of vulnerabilities, and information security incident reporting\/response through a clearly defined reporting process, format and structure.<\/p>\n<h2>Managing changes to supplier services<\/h2>\n<p style=\"text-align: justify;\">Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.<\/p>\n<p style=\"text-align: justify;\">The ISO 27001 certified organization shall have process of managing changes to a third party service takes account of:<\/p>\n<ol>\n<li>changes made by the organization to implement:\n<ul>\n<li>enhancements to the current services offered<\/li>\n<li>development of any new applications and systems<\/li>\n<li>modifications or updates of the organization\u2019s policies and procedures, and<\/li>\n<li>new controls to resolve information security incidents and to improve security<\/li>\n<\/ul>\n<\/li>\n<li>changes in third party services to implement:\n<ul>\n<li>changes and enhancement to networks<\/li>\n<li>use of new technologies<\/li>\n<li>adoption of new products or newer versions\/releases<\/li>\n<li>new development tools and environments<\/li>\n<li>changes to physical location of service facilities, and<\/li>\n<li>change of vendors.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>[\/vc_column_text][vc_cta h2=&#8221;Reqest a Quote for training \/ consultation \/ certification&#8221; h2_font_container=&#8221;tag:h2|text_align:left&#8221; h2_use_theme_fonts=&#8221;yes&#8221; h4=&#8221;Complete package for ISO 27001 training \/ consultation \/ certification&#8221; h4_font_container=&#8221;tag:h4|text_align:left&#8221; h4_use_theme_fonts=&#8221;yes&#8221; shape=&#8221;round&#8221; color=&#8221;white&#8221; add_button=&#8221;bottom&#8221; btn_title=&#8221;Contact us \/ Request a Quote&#8221; btn_color=&#8221;blue&#8221; btn_align=&#8221;right&#8221; btn_i_align=&#8221;right&#8221; btn_i_icon_fontawesome=&#8221;fas fa-phone-alt&#8221; add_icon=&#8221;bottom&#8221; use_custom_fonts_h2=&#8221;true&#8221; use_custom_fonts_h4=&#8221;true&#8221; btn_add_icon=&#8221;true&#8221; i_on_border=&#8221;true&#8221; css=&#8221;.vc_custom_1638631863588{background-color: #dd9933 !important;}&#8221; btn_link=&#8221;url:https%3A%2F%2Fwww.arab-academy.com%2Fen%2Frequest-quotation%2F|title:Request%20a%20quotation&#8221;]<\/p>\n<p>Our information security experts will assist your organization to obtain ISO 27001 certification according to ISO 27001 standard, our experts will give a full guidance to implement an effective information security management system and analysis your business risks, request a quote now.<\/p>\n<p>[\/vc_cta][\/vc_column][vc_column width=&#8221;1\/4&#8243;][stm_sidebar sidebar=&#8221;11735&#8243;][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column width=&#8221;3\/4&#8243;][vc_custom_heading text=&#8221;Clause A.15 Supplier relationships ISO 27001 certification&#8221; font_container=&#8221;tag:h1|text_align:left&#8221; use_theme_fonts=&#8221;yes&#8221; css=&#8221;.vc_custom_1638529958731{margin-bottom: 32px !important;}&#8221;][vc_single_image image=&#8221;13588&#8243; img_size=&#8221;large&#8221;][vc_column_text] Introduction about Supplier relationships To implement an effective processes for information security, the organization need to establish a system to ensure protection of the organization\u2019s assets that are accessible by suppliers (third party), and maintain an agreed level of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":13588,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[301],"tags":[],"class_list":["post-13584","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iso-27001-certification"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/posts\/13584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/comments?post=13584"}],"version-history":[{"count":0,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/posts\/13584\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/media\/13588"}],"wp:attachment":[{"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/media?parent=13584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/categories?post=13584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/tags?post=13584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}