Control of Suppliers (Contractors)

Please note that is not our policy to provide recommendations about specific solutions or technologies to manage endpoints or the environments they access, so we can advise only about rules you should consider when evaluating such items.

Considering that, rules you should consider for those laptops/computers are access control for the accessed environment, use of protected channels to access the environment (e.g., use of VPN), use of encrypted drives, antivirus and updated OS and other required software (as you suggested), and use of backup.

About fit for purpose, provided these adopted controls decrease identified relevant risks to acceptable levels, and fulfill applicable legal requirements this would be acceptable for ISO 27001 certification purposes.

For example, specific information security or privacy laws and regulations (e.g., EU GDPR, HIPAA, etc.), and security clauses in contracts with clients (e.g., contractual clauses requiring the use of specific cryptography for storage devices).

Please note that, to enforce the application of such controls, you need to have signed contracts with these contractors, where such contracts will have information security clauses related to the controls you want the contractors to follow.

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/