I am very new to Advisera and Conformio, so please bear with me. We purchased the ISO 27001 & the EU GDPR bundle. Prior to purchasing this, we had already put a significant effort towards a project for managing Supplier Relationships. With that known, on to my question….
1. Within the Supplier Relationship requirements, we were instructed by a previous ISO 27001 consultant that we should confirm background checks are being conducted on any suppliers which have physical access to our property, or have access to our data and network. After reviewing “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, there doesn’t seem to be any agreement to background checks by the “Processor”. But, within “11.A.15_Supplier_Security_Policy_Integrated_EN.docx”, the policy states under the screening section(3.2) that screenings may be necessary. Are background checks not a requirement for Suppliers within ISO 27001?
Answer: Background checks, as part of the screening process, as any control from ISO 27001 Annex, must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these options occur there is no need to implement a particular ISO 27001 control. So background checks do not need to be implemented if there are no risks, there are no particular requirements, and there is no decision from the management.
2 . Is there an updated “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, which includes background checks, or can you provide the verbiage to include? Please let me know if you need any further details in order to answer these questions.
You have the up to date version of the “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, but if, considering the previous answer, you understand that you need to apply background checks, you can schedule a meeting with one of our experts and he will help you to develop this text. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/