Supplier Security

Based in your attached document, I'm assuming you are referring to a document similar to a "Confidentiality Statement" (the term “Order data protection agreement” does not exist in the standard, nor it is a common term).

Considering that, please note that for ISO 27001, you only have to implement a "Confidentiality Statement", or similar document like the ”Order Data Protection Agreement”, or any other type of control, if:
- the results of risk assessment require the implementation of such document
- there are legal requirements (e.g., laws and contracts) which require the implementation of such document
- there is a top management decision for implementation of such document

If none of the above mentioned situations occur, then you do not need to implement a "Confidentiality Statement", or ”Order Data Protection Agreement”.

Considering our toolkit, we have a "Confidentiality Statement" template, located on folder 08 Annex A Security Controls >> A.7 Human Resource Security, that you can evaluate if it can fulfill your needs. It contains the minimum required for compliance with the standard (for further security you should consider seeking expert legal advice because we are not legal experts).

Regarding your document, it seems fine as a "Confidentiality Statement", with more clauses than our "Confidentiality Statement", but again we recommend you to seek legal advice.

Another way to handle this situation is by including a security clause in your service agreement with those parties working with you.

This article will provide you a further explanation about control selection and security clauses:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/