Operating Procedures for information and communication technology
Assign topic to the user
Sean,
The procedure for auditing of suppliers and outsourcing partners is outlined in section 3.2 of "Operating procedures for information and communication technology" - basically, this auditing should be performed only if those suppliers or outsourcing partners create great risks for your company. E.g. if you are a bank, and a software company develops your core transaction application, then certainly you want to make sure they safeguard the security of your information.
To be able to perform the audits, you have to include such a clause in the contract with the supplier/partner - you have an example of such clause in a document called "Security clauses for suppliers and partners". So, once you are authorized to perform an audit, you can do it either on-site (by visiting them) or off-site (they send you the documentation and other evidence by email).
You can perform the audit yourself, or you can hire a professional auditor to perform the job - in any case, the goal of such audit is to determine whether the supplier/partner complies to all the security requirements you have stated in your contract.
The audit is normally performed once a year, or once in three years.
Dejan
Comment as guest or Sign in
Jan 12, 2016