Expert Advice Community

Controls 15.1.2 & 15.1.3

  Quote
Created:   Apr 10, 2020 Last commented:   Apr 14, 2020

Controls 15.1.2 & 15.1.3

We believe that in our case we do not need to have these controls in place. We are using our IMSM to confirm adherence to HIPAA and GDPR compliance. in the SoA we are going to state:

Our current suppliers are all well established best in class solutions that have already proven to be suitable for our requirements and were chosen with security of data in mind. All our classified software suppliers are ISO27001:2013 certified, HIPPA compliant and GDPR compliant. We have standard agreements that take into account the Confidentiality, Integrity and Availbility of the data. 

Does this seem like a reasonable rationale? We use large clients like AWS, so we can't expect that they would sign agreements with us

Thank you,

Ed

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 14, 2020

First is important to note that both controls are related to the establishment of security clauses in agreements. The purpose of such clauses is to protect your organization against unilateral changes in the operation of your suppliers that can affect your information security. No matter how recognized they are in the market, or certifications they have, without such clauses your suppliers have no obligation to take your business needs into account when making decisions about their own businesses, and this can affect you badly.

In the case of large providers (e.g., AWS) that do not sign agreements with their customers, they still have the Terms & Conditions that apply, and these have equal force as signed agreement.

Considering that, since in your text for SoA you have "... We have standard agreements that take into account the Confidentiality, Integrity, and Availability of the data.", it means that control A.15.1.2 is applicable, and is already implemented, in your organization.

In case risks related to your suppliers' suppliers (i.e., their supply chain) are acceptable to you, and you do not have any legal requirement (e.g., laws, regulations or contracts) demanding implementation of control A.15.1.3, you could use a justification for excluding the control like this one: "No relevant risks, or legal requirements, were identified to justify the implementation of this control".

This article will provide you further explanation about security clauses for suppliers:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 10, 2020

Apr 14, 2020