Guest
Supplier Security Program (Annex A 15 Supplier Relationships)
I am a little unclear on what the scope of the supplier management program should include. I am well informed of the risk based approach for vetting and ongoing oversight and management, but I am wondering if the control only extends to suppliers where agreements are maintained or if it extends to any and all vendors that provide products and services to my organization (e.g., Adobe, Open Source Tools, etc.). For instance, we use software where we simply accept the terms of use like Adobe or video editing software. Obviously, we would not treat all vendors the same in terms of vetting and ongoing reviews, but we are not clear on whether we still need to include every single third party on our vendor spreadsheet with their classification, or if the list should only include those that we have classified as high risk or critical.
Assign topic to the user
Expert
Rhand Leal
Jun 04, 2020
Besides those classified as high risk or critical, for the identification of these suppliers you must consider:
- the ISMS scope, i.e., the suppliers that can affect the information you want to protect
- the legal requirements (e.g., laws, regulations and contract) you must comply to (for example, a contractual clause with a customer may require a specific supplier or suppliers to be included in the program)
If a supplier does not fall in one of the above-mentioned situations, then you do not need to include it in your supplier management program related to information security.
This article will provide you a further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Jun 04, 2020
Jun 04, 2020
Jun 04, 2020