Controls a.15.10.2 and a.13.2.4
We get a Business email service from third part such as *** for our company. we don't have any NDA with *** and get it by Definition SLA in their site. also we start to design Information Security Management System. is it has conflict with A.13.2.4 and A.15.1.2?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
In case the NDA identified in the SLA you have with your provider fulfills all your needs (you should confirm that with a legal expert, based on the results of risks assessment and applicable legal requirements), and is regularly reviewed, then this situation is compliant with requirements of control A.13.2.4 - Confidentiality or nondisclosure agreements.
Regarding control A.15.1.2 – the identification of the NDA in the SLA provided by the supplier is acceptable, but please note that you also need to verify if other relevant risks related to this supplier are also covered by security clauses in the SLA.
These articles will provide you a further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding supplier management:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 18, 2021