All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base
Company Security and customers first
About News Partners Careers Contact

ISO 27001 Annex A.15: Supplier Relationships

These controls aim to protect your company and its assets within third party agreements with suppliers.

A.15.1 Information security and supplier relationships

A.15.1.1 Information security policy for supplier relationships

Suppliers are great for handling work that you are either unable to do or prefer passing on to another party to do, but you have to be careful whenever you involve external sources in your business.

Some of your suppliers will be more critical to your company than others and may be more actively involved in your firm. Your supplier selection policy should reflect these differences such as what conditions deemed the supplier more valuable than the other.

The critical suppliers and partners here you might partially follow their policies are to be focused on in terms of risk and how the relationships are managed. Stick with partners who add value to your information assets or bring quality to your risk environment. A management system will enhance how you regulate what kinds of assets your agreement will involve and the level of engagement with your suppliers.

A.15.1.2 Addressing security within supplier agreements

Pay attention to businesses that are mature in terms of governance and compliance and may already be certified in ISO27001 as you could learn from them. .Supplier agreements then need to have specific security and data protection components integrated into them. This includes:

  • Incident management
  • Legal bindings and regulations
  • Supplier staff screening. Non-disclosure (A.13.2.4)
  • Report requirements and reviews
  • Other third parties that may get involved, e.g., company subcontractors

As part of an agreement, try to find some common ground with your associate, depending on the scope of your agreement, some factors listed above may be reduced or excluded from your contract. Use your discretion but make sure everything is ethical and legal..

A.15.1.3 Information and communication technology supply chain

Most of the precautions included for physical supply chains will apply to digital ones. your agreement’s terms will depend on your company size and the nature of the work you wish to complete with your partner. Always assess the risks of doing business with external parties with a focus on suppliers who handles confidential or high-risk data and align with what is documented in your policy.

A.15.2 Supply a service development management

A.15.2.1 Monitoring and review of supplier services

You will be required to describe how your company plans to monitor, assess and audit suppliers, service deliveries, these assessments will be conducted in light of the risks posed by involving your information assets. Thus, the audits and reviews will focus primarily on information security protocols. Therefore a process to show you monitor and review the supplier services on a continuous basis is critical.

A.15.2.2 Managing changes to supplier services

This control is about managing changes to supplier services to that these changes do not have an adverse effect on the ISMS. Any changes need to be managed and reviewed and the risks understood.

The steps involving the reassessment of your risks and analyse any systems and processes affected by those changes will then be documented.