Guest
ISO Control 15.2.2 Extended Support Request
Hello Advisera Team,
We are currently preparing for our upcoming ISO assessment and wanted to reach out for some guidance on ISO Control 15.2.2 which is copied below. What would be the specifics that would be used for evidence to show that our organization is meeting this requirement? The bullets below highlight what our current process is and our associates would be able to speak to this, however there is no real documented procedure.
• During contract negotiations third parties are asked to make ***aware of any relationship changes so a reassessment can be done.
• Any significant changes with a third party will go through an IT change management process.
• If changes occur to the type of data being exchanged to include sensitive data our scheduling team will bring awareness.
• Periodic reassessments of third parties are completed by ***.
“Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.”
Please let me know if you need further clarification on the above items.
Assign topic to the user
Expert
Rhand Leal
Jun 03, 2022
Since control A.15.2.2 Managing changes to supplier services does not require a documented procedure, the specifics for evidence you may consider are:
- emails exchanged during contract negotiations questioning third parties about relationship changes, or reviewed assessments related to such changes
- the history of change requests records
- communications to schedule teams about changes in exchanged data
- history of assessment review
Comment as guest or Sign in
Jun 03, 2022
Jun 03, 2022
Jun 03, 2022