ISO 27001 Annex A.15: Supplier Relationships

A.15.1 Information security and supplier relationships

A.15.1.1 Information security policy for supplier relationships

Suppliers are great for handling work that you are either unable to do or prefer passing on to another party to do, but you have to be careful whenever you involve external sources in your business.

Some of your suppliers will be more critical to your company than others and may be more actively involved in your firm. Your supplier selection policy should reflect these differences such as what conditions deemed the supplier more valuable than the other.

The critical suppliers and partners here you might partially follow their policies are to be focused on in terms of risk and how the relationships are managed. Stick with partners who add value to your information assets or bring quality to your risk environment. A management system will enhance how you regulate what kinds of assets your agreement will involve and the level of engagement with your suppliers.

A.15.1.2 Addressing security within supplier agreements

Pay attention to businesses that are mature in terms of governance and compliance and may already be certified in ISO27001 as you could learn from them. .Supplier agreements then need to have specific security and data protection components integrated into them. This includes:

• Incident management
• Legal bindings and regulations
• Supplier staff screening. Non-disclosure (A.13.2.4)
• Report requirements and reviews
• Other third parties that may get involved, e.g., company subcontractors

As part of an agreement, try to find some common ground with your associate, depending on the scope of your agreement, some factors listed above may be reduced or excluded from your contract. Use your discretion but make sure everything is ethical and legal..

A.15.1.3 Information and communication technology supply chain

Most of the precautions included for physical supply chains will apply to digital ones. your agreement’s terms will depend on your company size and the nature of the work you wish to complete with your partner. Always assess the risks of doing business with external parties with a focus on suppliers who handles confidential or high-risk data and align with what is documented in your policy.

A.15.2 Supply a service development management

A.15.2.1 Monitoring and review of supplier services

You will be required to describe how your company plans to monitor, assess and audit suppliers, service deliveries, these assessments will be conducted in light of the risks posed by involving your information assets. Thus, the audits and reviews will focus primarily on information security protocols. Therefore a process to show you monitor and review the supplier services on a continuous basis is critical.

A.15.2.2 Managing changes to supplier services

This control is about managing changes to supplier services to that these changes do not have an adverse effect on the ISMS. Any changes need to be managed and reviewed and the risks understood.

The steps involving the reassessment of your risks and analyse any systems and processes affected by those changes will then be documented.

‍