Gathering information from suppliers
Assign topic to the user
ISO 27001 SUPPLIER SECURITY POLICY
Define how suppliers and partners need to keep your information safe.
Get it now 
ISO 27001 SUPPLIER SECURITY POLICY
Define how suppliers and partners need to keep your information safe.
Get it now
ISO 27001 SUPPLIER SECURITY POLICY
Define how suppliers and partners need to keep your information safe.
Get it now
What are the mandatory resources need to collect for review/risk assessment purposes from application supplier/vendor?
Answer:
In a general manner you have these options to consider:
- Propose to sign a Non Disclosure Agreement to have access to their policies
- Ask for a general view only of these policies to see if they can fulfill your needs
- Ask them about how they handle your specific risks related to this critical application
If none of these alternatives are possible, you should consider if the risk of taking over the application without these information is acceptable, or if you should consider another supplier for this application.
Regarding mandatory resources to collect, ISO 27001 is not prescriptive. The information you will need will depend on the results of risk assessment and legal requirements your organization has to fulfill.
Based on risk assessment and legal requirements you can sign a service agreement with this supplier including security clauses that specify if the access to documentation is needed or not.
These article will provide you further explanation about managing suppliers:
- 6-step process for handling supplier security according to ISO 27001https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
Comment as guest or Sign in
Apr 23, 2019