Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Procedures for suppliers to cover the control of External Providers

  Quote
Guest
Guest user Created:   Dec 28, 2020 Last commented:   Jan 06, 2021

Procedures for suppliers to cover the control of External Providers

I Have a question concerning my 22301Q2019 package

I have two companies

1st TRADE, STORAGE & HANDLING (SIMPLE COOLING, TEMPERATURE ENVIRONMENT) of FRESH FRUIT & VEGETABLES

2nd
offers environmental technologies and specializes in the design and manufacture of Prefabricated Innovative Water Treatment and Wastewater System which incorporate innovative advanced solutions and are suitable for wastewater treatment for civil and industrial applications.

Both use External providers- Supply chanin (such as technical services, drivers and trucks, externalwarehouses and engineers .

Where in this package can i find procedures for suppliers to cover the control of External Providers

8.1 Operational planning and control

The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by:

The organization shall ensure that outsourced processes and the supply chain are controlled.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Dec 28, 2020

To deal with 3rd parties that are providing products and services to your company, you need to do the following documents for the processes that are supported by those 3rd parties: 

  • Define RTO and the required resources for recovery by doing the business impact analysis (folder 05 from your ISO 22301 Toolkit) 
  • Develop the business continuity strategy which involves the preparation of solutions and resources from third parties (folder 06 from your ISO 22301 Toolkit, in particular section 5.2 of the Business continuity strategy document)
  • Write the business continuity plan and recovery plans that also involves the role for 3rd parties (folder 07 from your ISO 22301 Toolkit) 

To learn more about how to perform these 3 steps, see the recordings of these free webinars: 

Quote
0 0
Guest
Guest user Jan 04, 2021

In addition to my 27th of December question, 8.6 paragraph demands
8.6 Evaluation of business continuity documentation and capabilities
c) conduct evaluations of the business continuity capabilities of relevant partners and suppliers;

Where in the package can I find a format for conducting an evaluation for partners and suppliers according to ISO 22301:2019

And another question, please

6.2.1 Establishing business continuity objectives

The organization shall establish business continuity objectives at relevant functions and levels.
The business continuity objectives shall:

*
a) be consistent with the business continuity policy;
*
b) be measurable (if practicable);
*
c) take into account applicable requirements (see 4.1 and 4.2);
*
d) be monitored;
*
e) be communicated;
*
f) be updated as appropriate.

The organization shall retain documented information on the business continuity objectives.

6.2.2 Determining business continuity objectives

When planning how to achieve its business continuity objectives, the organization shall determine:

*
a) what will be done;
*
b) what resources will be required;
*
c) who will be responsible;
*
d) when it will be completed;
*
e) how the results will be evaluated.

Where can I find a format to record business continuity objectives and actions and evaluation of them as 6.2.1 and 6.2.2 states?

Thank you once again.

And another question, please

4.1   Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS.
NOTE These issues will be influenced by the organization’s overall objectives, its products and services and the amount and type of risk that it may or may not take.

Where in the package can I find a document to describe  external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome such as 

Pandemic in the territory
Earthquakes

risk appetite  in general and according to the site territory;"

Quote
0 0
Expert
Rhand Leal Jan 06, 2021

1. In addition to my 27th of December question, 8.6 paragraph demands evaluations of the business continuity capabilities of relevant partners and suppliers;
Where in the package can I find a format for conducting evaluation for partners and suppliers according to ISO 22301:2019

You can use the same procedure and checklist used for your internal audit. Both procedure and checklist can be found in folder 10 from your ISO 22301 Toolkit.

For additional information, see (the same concept applies to ISO 22301):

2. And another question please. Where can i find a format to record business continuity objectives and actions and evaluation of them as 6.2.1 and 6.2.2 states
Thank you once again.

You can use your own document usually used for planning for documenting business continuity objectives and methods to measure them, and if you do not have such, then you can use the blank template provided in the root folder of your toolkit.

For further information, see:

And another question, please.
Where in the package can i find a document to describe external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome such as Pandemic in the territory, Earthquakes, and risk appetite in general and according the site territory;

The information required by ISO 22301 clause 4.1 is addressed by the following templates:

  • Organization's activities (from clause 4.1 a)) and potential impact from disruptive incidents are addressed by template Business Impact Analysis Questionnaire (located at folder 04 Business Impact Analysis Methodology)
  • The organization's functions (from clause 4.1 a)) are addressed in all templates when an activity to be performed is required (by means of the field [job title]). Functions related specifically to the BCMS are defined in the template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
  • Organization's product and services (from clause 4.1 a)) are addressed by template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
  • Relations with suppliers, partners, and interested parties (from clause 4.1 a)) are addressed by template Business Continuity Strategy (located at folder 05 Business Continuity Strategy)
  • Relationships between the Business Continuity Policy and other organization's policies, objectives, and general risk management strategy (from clause 4.1 b)) are addressed by template Business Continuity Policy, section 2, (located at folder 03 Business Continuity Policy)
  • Organization's risk appetite (from clause 4.1 c)) is addressed by template Business Impact Analysis Questionnaire, section 6 (maximum acceptable outage) (located at folder 04 Business Impact Analysis Methodology)  

This article will provide you a further explanation (the same concept applies to ISO 22301):

This material will also help you regarding ISO 22301:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 28, 2020

Jan 06, 2021