Expert Advice Community

Guest

Background check for suppliers

  Quote
Guest
Guest user Created:   Mar 07, 2019 Last commented:   Mar 07, 2019

Background check for suppliers

I am very new to Advisera and Conformio, so please bear with me. We purchased the ISO 27001 & the EU GDPR bundle. Prior to purchasing this, we had already put a significant effort towards a project for managing Supplier Relationships. With that known, on to my question….
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 07, 2019

1. Within the Supplier Relationship requirements, we were instructed by a previous ISO 27001 consultant that we should confirm background checks are being conducted on any suppliers which have physical access to our property, or have access to our data and network. After reviewing “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, there doesn’t seem to be any agreement to background checks by the “Processor”. But, within “11.A.15_Supplier_Security_Policy_Integrated_EN.docx”, the policy states under the screening section(3.2) that screenings may be necessary. Are background checks not a requirement for Suppliers within ISO 27001?

Answer: Background checks, as part of the screening process, as any control from ISO 27001 Annex, must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the control
- There is a top management decision requiring the implementation of the control

If none of these options occur there is no need to implement a particular ISO 27001 control. So background checks do not need to be implemented if there are no risks, there are no particular requirements, and there is no decision from the management.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2 . Is there an updated “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, which includes background checks, or can you provide the verbiage to include? Please let me know if you need any further details in order to answer these questions.

Answer:

You have the up to date version of the “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, but if, considering the previous answer, you understand that you need to apply background checks, you can schedule a meeting with one of our experts and he will help you to develop this text. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 07, 2019

Mar 07, 2019