Hello Advisera Team,
We are currently preparing for our upcoming ISO assessment and wanted to reach out for some guidance on ISO Control 15.2.2 which is copied below. What would be the specifics that would be used for evidence to show that our organization is meeting this requirement? The bullets below highlight what our current process is and our associates would be able to speak to this, however there is no real documented procedure.
• During contract negotiations third parties are asked to make ***aware of any relationship changes so a reassessment can be done.
• Any significant changes with a third party will go through an IT change management process.
• If changes occur to the type of data being exchanged to include sensitive data our scheduling team will bring awareness.
• Periodic reassessments of third parties are completed by ***.
“Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.”
Please let me know if you need further clarification on the above items.