ISO 27001:2013 is an internationally recognized Information Security Management System (ISMS) standard.
ISO 27001:2013 Controls under the Annex. A:15 – Supplier Relationships – is all about controlling the risks associated with the supplier-organisation relationship, and managing these accordingly to ensure that your operations remain protected, and the information of your customers does too.
Security used to be an inconvenience sometimes, but now it’s a necessity all the time. – Martina Navratilova
ISO 27001 Controls the main goal of Supplier relationships is to improve business processes between you and your suppliers. By creating a streamlined approach, you improve efficiency for both your business and your suppliers. This is very important clause if you are looking to achieve ISO 27001:2013 certification. Lets understand those requirements and what they mean in a bit more depth now.
Annex.A:15.1 Supplier Relationships
ISO 27001 Annex : A.15.1,this clause explains Information Security in Supplier Relationships, and there policies. They automatically get the access to company’s information. ISO 27001 captured the another clause for your own security to protect your organisation from unauthorised access from suppliers.
Annex. A:15.1.1 Information Security in Supplier Relationships
The supplier should be agreed with the and documented information security requirements relates to the the risk of access by suppliers to organisation assets. If any organisation wants to provide access to its supplier, the risk assessment should be done. The organisation must identify and involve required security information controls in the policy.
These could include the following:
- Identification and reporting of supplier forms, e.g. IT services, financial services etc. which are accessible to the organisation;
- Controls over the accuracy and completeness of information transmitted by either party;
- Resilience and, if necessary, recovery and contingency plans to ensure the availability by all parties of information or processing;
- Training in awareness of applicable policies, processes and procedures for the organization staff involved in acquisitions;
- Training in awareness of how the organization’s staff interacts with supplier staff on appropriate rules of engagement and behavior based on provider type and level of supplier access to the system and information of the organization;
- A legal contract must be signed by both parties to maintain the integrity of the relationship.
Annex. A:15.1.2 Addressing Security Within Supplier Agreements
Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements. This clause explains about defining and accepting the obligations as well as record them securely under a relevant documented policy. This policy may consist of all the roles and responsibility and limit of accessing the information security of the supplier. It also gives exclusive right to the organisation to audit the supplier and its sub contractors.
Annex. A:15.1.3 Information and Communication Technology Supply Chain
Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain. It means, that the supplier will need to communicate with the contractor, if there is any risk of breach of information security. Even if it is a minor risk, the supplier must explain how he dealt with it, what implementing policy he applied, also ensured that the risk has been eliminated. For the effective supplier relations control, one must use the essential services to track the record of entire supply chain and its origin.
Annex. A:15.2 Supplier Service Delivery Management
Annex. A:15.2.1 Monitoring and Review of Supplier Services
Supplier Service Delivery Management’s main objective is to maintain, in compliance with supplier agreements, an agreed level of information security and delivery of service. This will include a process of service management between the client and the supplier:
- Surveillance at the level of service performance to verify agreement compliance;
- Review the supplier’s service reports and schedule progress meetings on a regular basis;
- conduct supplier audits and follow-up on reported problems in conjunction with the analysis of independent auditor reports where available;
- Facilitate and review the details regarding safety incidents as provided by agreements and any relevant guidelines and procedures;
- Review the traces of the manufacturer audit and information security reports, operational issues, failures, fault-tracking and service-related disturbances.
Annex. A:15.2.2 Managing Changes to Supplier Services
Any changes to the provison of services by suppliers, including maintaing and improving existing information security policies, procedure and control,shall be managed,takinh account of the criticality of business informatiom,systems and process involved and re-assessments of risks.
Availability of implementation guide plan for the supplier services in case of any changes under this clause is necessary. Any modification, improvements or change of use of technology , changes in supplier responsibility must cover under supplier management policy.