A.15.2.2 Managing changes to supplier services
I have read the implementation guidance in ISO 27002 but I am still not sure of what type of controls we should implement to be compliant with the control A.15.2.2 (ISO27001:2013). I understand that this is regarding changes in supplier agreements and/or Terms and conditions, changes in how our company uses the supplier services etc. Could anyone share how you have implemented this control? We have a non conformance from our recent audit regarding this hence my question.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Control A.15.2.2 Managing changes to supplier services can be implemented by means of a change management process considering the following steps:
- identification of what needs to be changed (e.g., hardware, software, documentation, etc.) and on which systems;
- assessment of the criticality of the systems, information, and processes affected by the change;
- re-assessment of the risks related to the systems, information, and processes affected by the change (e.g., current risks that may change, risks that may arise);
- formal approval of proposed changes
- development of an implementation plan, including, when necessary, procedures for aborting and recovering from unsuccessful changes and unforeseen events;
- testing of the proposed changes before and after deployment of changes in production environment
- communication of changes performed to all relevant persons.
You can use your change management procedure as a basis to manage changes related to your supplier.
You can read more about managing changes in an ISMS according to ISO 27001 A.12.1.2 on our blog.
Comment as guest or Sign in
Sep 22, 2023