ISO 27001 Suppliers relationships for small company
As part of ISO 27001 Supplier relationships A.15 and specifically to supplier’s risk assessment, management has taken a decision that as a small-business size, the risk assessment for the critical suppliers will be performed mostly through an online audit for example, undertaking further research by checking Google, review website and social media pages and on extremely rare occasions, further steps like: asking for NDAs and/or providing awareness training will be actioned.
In the light of the above, would that be sufficient in terms of ISO 27001 certification and can you recommend any tool or even resource that could assist us in audit suppliers online.
Assign topic to the user
I’m assuming that by online audit you mean online assessment since an audit is not part of the risk assessment process.
Considering that, for supplier risk management this approach (online assessment, internet, and social media search and site review) is acceptable for certification purposes.
Regarding NDA and awareness training, please note that these are alternatives for risk treatment, not a risk assessment. These would be applicable if you identify relevant risks that can be treated by them, or in case you have legal requirements (e.g., laws, regulations, or contracts) demanding their implementation.
As for online resources for supplier risk assessment and audit, please take a look at these resources:
- Risk Assessment Table https://advisera.com/27001academy/documentation/risk-assessment-table/
- Internal Audit Checklist https://advisera.com/27001academy/documentation/internal-audit-checklist/
Comment as guest or Sign in
Jun 29, 2022