Vendor Reviews
I work for ***, which provides software and services to help companies do webinars. I'm trying to figure out if certain companies that we use their services need to be on our Vendor Log, and if we need to perform periodic vendor reviews for them, etc. It is clear to me that our Key Vendors and all vendors who interface with our software would need to be included. But what about companies like ***, who helps us manage our social accounts? It is not clear to me where the line is in cases like this.
Thanks very much.
Assign topic to the user
I'm assuming that by "Vendor log" you mean the document or system you use to record and manage your vendors.
Considering that, to identify which vendors should be in your Vendor Log, and under periodic vendor review, you need to perform a risk assessment on your vendors, to identify if they can rise relevant risks that need treatment. Additionally, you need to evaluate the legal requirements you must comply with (e.g., laws, regulations and contracts), to identify if any of them has clauses defining specific vendors or conditions that will require vendors to be logged or reviewed periodically.
These articles can provide further information:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Comment as guest or Sign in
Nov 06, 2020