Controls in third party facility
Assign topic to the user
Answer: Even if they are free of charge, you must consider the establishment of contracts to define the security clauses the responsible for the buildings must implement, since you have no authority to implement them by your own (you have to consider the public entities providing the buildings as your suppliers). The security clause to be included must reflect the results of a risk assessment as if you were managing the buildings yourself (e.g., if your risk assessment identifies the need for controls from section A.11, you must include the requirements of this section in your contracts)
These articles will provide you further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
We received this question:
>I have a further question. Some of the properties and free, public and we do not have a contract. How will this impact your suggestion?
Answer: Without a contract you will not have any support to enforce the properties responsible to implement the security controls you require, and you will be at risk of being legally processed for modifying the facilities to implement the controls by yourself without authorization.
Comment as guest or Sign in
Mar 13, 2018