Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

ISO 27001 Annex A.15: Supplier Relationships

These controls aim to protect your company and its assets within third party agreements with suppliers.

A.15.1 Information security and supplier relationships

A.15.1.1 Information security policy for supplier relationships

Suppliers are great for handling work that you are either unable to do or prefer passing on to another party to do, but you have to be careful whenever you involve external sources in your business.

Some of your suppliers will be more critical to your company than others and may be more actively involved in your firm. Your supplier selection policy should reflect these differences such as what conditions deemed the supplier more valuable than the other.

The critical suppliers and partners here you might partially follow their policies are to be focused on in terms of risk and how the relationships are managed. Stick with partners who add value to your information assets or bring quality to your risk environment. A management system will enhance how you regulate what kinds of assets your agreement will involve and the level of engagement with your suppliers.

A.15.1.2 Addressing security within supplier agreements

Pay attention to businesses that are mature in terms of governance and compliance and may already be certified in ISO27001 as you could learn from them. .Supplier agreements then need to have specific security and data protection components integrated into them. This includes:

  • Incident management
  • Legal bindings and regulations
  • Supplier staff screening. Non-disclosure (A.13.2.4)
  • Report requirements and reviews
  • Other third parties that may get involved, e.g., company subcontractors

As part of an agreement, try to find some common ground with your associate, depending on the scope of your agreement, some factors listed above may be reduced or excluded from your contract. Use your discretion but make sure everything is ethical and legal..

A.15.1.3 Information and communication technology supply chain

Most of the precautions included for physical supply chains will apply to digital ones. your agreement’s terms will depend on your company size and the nature of the work you wish to complete with your partner. Always assess the risks of doing business with external parties with a focus on suppliers who handles confidential or high-risk data and align with what is documented in your policy.

A.15.2 Supply a service development management

A.15.2.1 Monitoring and review of supplier services

You will be required to describe how your company plans to monitor, assess and audit suppliers, service deliveries, these assessments will be conducted in light of the risks posed by involving your information assets. Thus, the audits and reviews will focus primarily on information security protocols. Therefore a process to show you monitor and review the supplier services on a continuous basis is critical.

A.15.2.2 Managing changes to supplier services

This control is about managing changes to supplier services to that these changes do not have an adverse effect on the ISMS. Any changes need to be managed and reviewed and the risks understood.

The steps involving the reassessment of your risks and analyse any systems and processes affected by those changes will then be documented.

More Resource Hub

ISO27001
SOC 2 Policies and Procedures
ISO27001
What Is The NHS Data Security and Protection…
ISO27001
Whitepaper | How To Choose The Best Information…