Expert Advice Community

Guest

Information security reference in supplier and employee contracts

  Quote
Guest
Guest user Created:   Sep 15, 2020 Last commented:   Sep 15, 2020

Information security reference in supplier and employee contracts

In terms of commercial and Employee contracts, as interested parties, should there be a clause in the contracts to cover information and security? If so, is there a standard clause that can be used to cover this? 

I know these would need to be legally checked, but in your opinion, is the following a reasonable outline to be working with?

'Information management. *** operates under the guidelines of ISO27001 and The Data Protection Act (2018). Both parties must adhere to the specified processes and practices outlined in the company's Information Security Management System (ISMS).'

'Intellectual property. All rights to Intellectual Property remain with ***.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 15, 2020

We received these questions:

1 - In terms of commercial and Employee contracts, as interested parties, should there be a clause in the contracts to cover information and security? If so, is there a standard clause that can be used to cover this?

Answer: Information security related clauses must be included in contracts with interested parties, but the decision on which clauses to include depends on the results of risk assessment and legal requirements. Here are some clauses you should consider:
- Right to audit
- Actions to be taken if security requirements are violated by the involved parties

For further information, see:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/01academy/emy/ademy/my/blog/17/06/19/which-security-clauses-to-use-for-supplier-agreements/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/01academy/emy/ademy/my/blog/18/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Included in your toolkit there is a Security Clauses for Suppliers and Partners document that can help you identify security requirements that can be put into a contract with suppliers and outsourcing partners. It is located on folder 08 Annex A Security Controls >> A.15 Supplier Relationships

2 - I know these would need to be legally checked, but in your opinion, is the following a reasonable outline to be working with?
'Information management. *** operates under the guidelines of ISO27001 and The Data Protection Act (2018). Both parties must adhere to the specified processes and practices outlined in the company's Information Security Management System (ISMS).'

'Intellectual property. All rights to Intellectual Property remain with ***.

Answer: From ISO 27001 point of view this is fine, but since this is a legal document you should seek advice from your lawyers as well.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Sep 15, 2020

Sep 15, 2020