We believe that in our case we do not need to have these controls in place. We are using our IMSM to confirm adherence to HIPAA and GDPR compliance. in the SoA we are going to state:
Our current suppliers are all well established best in class solutions that have already proven to be suitable for our requirements and were chosen with security of data in mind. All our classified software suppliers are ISO27001:2013 certified, HIPPA compliant and GDPR compliant. We have standard agreements that take into account the Confidentiality, Integrity and Availbility of the data.
Does this seem like a reasonable rationale? We use large clients like AWS, so we can't expect that they would sign agreements with us
Thank you,
Ed
Assign topic to the user
First is important to note that both controls are related to the establishment of security clauses in agreements. The purpose of such clauses is to protect your organization against unilateral changes in the operation of your suppliers that can affect your information security. No matter how recognized they are in the market, or certifications they have, without such clauses your suppliers have no obligation to take your business needs into account when making decisions about their own businesses, and this can affect you badly.
In the case of large providers (e.g., AWS) that do not sign agreements with their customers, they still have the Terms & Conditions that apply, and these have equal force as signed agreement.
Considering that, since in your text for SoA you have "... We have standard agreements that take into account the Confidentiality, Integrity, and Availability of the data.", it means that control A.15.1.2 is applicable, and is already implemented, in your organization.
In case risks related to your suppliers' suppliers (i.e., their supply chain) are acceptable to you, and you do not have any legal requirement (e.g., laws, regulations or contracts) demanding implementation of control A.15.1.3, you could use a justification for excluding the control like this one: "No relevant risks, or legal requirements, were identified to justify the implementation of this control".
This article will provide you further explanation about security clauses for suppliers:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
Comment as guest or Sign in
Apr 14, 2020