left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

ISO Control 15.2.2 Extended Support Request

  Quote
Guest
Guest user Created:   Jun 03, 2022 Last commented:   Jun 03, 2022

ISO Control 15.2.2 Extended Support Request

Hello Advisera Team, We are currently preparing for our upcoming ISO assessment and wanted to reach out for some guidance on ISO Control 15.2.2 which is copied below.   What would be the specifics that would be used for evidence to show that our organization is meeting this requirement?  The bullets below highlight what our current process is and our associates would be able to speak to this, however there is no real documented procedure. •  During contract negotiations third parties are asked to make ***aware of any relationship changes so a reassessment can be done. •  Any significant changes with a third party will go through an IT change management process. •  If changes occur to the type of data being exchanged to include sensitive data our scheduling team will bring awareness. •  Periodic reassessments of third parties are completed by ***. “Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.” Please let me know if you need further clarification on the above items.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 03, 2022

Since control A.15.2.2 Managing changes to supplier services does not require a documented procedure, the specifics for evidence you may consider are:

  • emails exchanged during contract negotiations questioning third parties about relationship changes, or reviewed assessments related to such changes
  • the history of change requests records
  • communications to schedule teams about changes in exchanged data
  • history of assessment review
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 03, 2022

Jun 03, 2022

Suggested Topics