iso 27001: management clause-15

iFour Consultancy

ISMS Framework: Clause 15 – Supplier Management

ISO 27001:2013 has classified the Supplier Management into:

Clause A.15.1: Information Security in Supplier RelationshipsClause A.15.2: Supplier Management delivery Management

Supplier Management– ISMS Requirements

Software Outsourcing Companies in India

http://www.ifour-consultancy.com/

To ensure protection of the organization’s assets that is accessible by suppliers

Clause A.15.1: Information Security in Supplier Relationships

Objective

A.15.1.1 Information security policy for supplier relationships

A.15.1.2 Addressing security within supplier agreements

A.15.1.3 Information and communication technology supply chain



A.15.1.1 Information security policy for supplier relationships

Control

• Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and document.



Definitions of data ownership and disposition throughout service lifecycle

The organization's data classification requirements as it applies to the supplier

Definition of acceptable uses for the data handled by the supplier

Processes and procedures for monitoring compliance with the contract requirements

A "right to audit" the supplier or regular access to external assessments

Conflict and defect resolution

Required screening, training or other obligations of the suppliers' staff

A.15.1.2 Addressing security within supplier agreements

Control• All relevant information security requirements shall be established and agreed with each supplier

that may access, process, store, communicate, or provide Infrastructure components for, the organization's information.



There should be a process to identify a product or service that has a critical capability, and require increased scrutiny.

The ability to trace origins and compliance with security requirements is integral in ensuring both integrity and availability.

The organization should address the risks of a component or service becoming unavailable or no longer supported.

A.15.1.3 Information and communication technology supply chain

Control• Agreements with suppliers shall include requirements to address the information security risks

associated with information and communications technology services and product supply chain



To maintain an agreed level of information security and service delivery in line with suppliers agreements

Clause A.15.2: Supplier Service Delivery Management

Objective

A.15.2.1 Monitoring and review supplier services

A.15.2.2 Managing changes to supplier services



Conduct audits of suppliers in conjunction with outside assessments

Require the supplier to promptly notify regarding security incidents

Provide regular audit trails and records for security events

Have a conflict resolution process that can be invoked if requirements are not met

A.15.2.1 Monitoring and review supplier services

Control

• Organizations shall regularly monitor, review and audit supplier service delivery



Change of subcontractor

Service enhancements

Bug fixes

Use of new technology

New development tools

Enhanced security measures

Change of physical sites

A.15.2.2 Managing changes to supplier services

Control• Changes to the provision of services by suppliers, including maintaining and improving existing information security

policies, procedures and controls, shall be managed, taking into account the criticality of business information, systems and processes involved and re-assessment of risks.



Visit our websites :

http://www.ifour-consultancy.com http://www.ifourtechnolab.com

References : https://spaces.internet2.edu/display/2014infosecurityguide/Supplier+Relationships

For more details :



THANK YOU



iso 27001: management clause-15

Technology