Download - ISO 27001: Management Clause-15
iFour Consultancy
ISMS Framework: Clause 15 – Supplier Management
ISO 27001:2013 has classified the Supplier Management into:
Clause A.15.1: Information Security in Supplier RelationshipsClause A.15.2: Supplier Management delivery Management
Supplier Management– ISMS Requirements
Software Outsourcing Companies in India
To ensure protection of the organization’s assets that is accessible by suppliers
Clause A.15.1: Information Security in Supplier Relationships
Objective
A.15.1.1 Information security policy for supplier relationships
A.15.1.2 Addressing security within supplier agreements
A.15.1.3 Information and communication technology supply chain
Software Outsourcing Companies in India
A.15.1.1 Information security policy for supplier relationships
Control
• Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and document.
Software Outsourcing Companies in India
Definitions of data ownership and disposition throughout service lifecycle
The organization's data classification requirements as it applies to the supplier
Definition of acceptable uses for the data handled by the supplier
Processes and procedures for monitoring compliance with the contract requirements
A "right to audit" the supplier or regular access to external assessments
Conflict and defect resolution
Required screening, training or other obligations of the suppliers' staff
A.15.1.2 Addressing security within supplier agreements
Control• All relevant information security requirements shall be established and agreed with each supplier
that may access, process, store, communicate, or provide Infrastructure components for, the organization's information.
Software Outsourcing Companies in India
There should be a process to identify a product or service that has a critical capability, and require increased scrutiny.
The ability to trace origins and compliance with security requirements is integral in ensuring both integrity and availability.
The organization should address the risks of a component or service becoming unavailable or no longer supported.
A.15.1.3 Information and communication technology supply chain
Control• Agreements with suppliers shall include requirements to address the information security risks
associated with information and communications technology services and product supply chain
Software Outsourcing Companies in India
To maintain an agreed level of information security and service delivery in line with suppliers agreements
Clause A.15.2: Supplier Service Delivery Management
Objective
A.15.2.1 Monitoring and review supplier services
A.15.2.2 Managing changes to supplier services
Software Outsourcing Companies in India
Conduct audits of suppliers in conjunction with outside assessments
Require the supplier to promptly notify regarding security incidents
Provide regular audit trails and records for security events
Have a conflict resolution process that can be invoked if requirements are not met
A.15.2.1 Monitoring and review supplier services
Control
• Organizations shall regularly monitor, review and audit supplier service delivery
Software Outsourcing Companies in India
Change of subcontractor
Service enhancements
Bug fixes
Use of new technology
New development tools
Enhanced security measures
Change of physical sites
A.15.2.2 Managing changes to supplier services
Control• Changes to the provision of services by suppliers, including maintaining and improving existing information security
policies, procedures and controls, shall be managed, taking into account the criticality of business information, systems and processes involved and re-assessment of risks.
Software Outsourcing Companies in India
Visit our websites :
http://www.ifour-consultancy.com http://www.ifourtechnolab.com
References : https://spaces.internet2.edu/display/2014infosecurityguide/Supplier+Relationships
For more details :
Software Outsourcing Companies in India