Supplier relationships
Assign topic to the user
Both of these categories are your suppliers. However, not both of them are equally risky for your company - therefore, after you perform your risk assessment you will realize that your stationery does not pose threat to your information, while consultancy could - this means that you will have to perform certain controls on your consultant only.
The point is - you do not divide the suppliers upfront based on their business. You should decide whether to apply security controls only after you perform risk assessment, no matter what they do.
Read also this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Jan 12, 2016