Question about A.7.1.2
Assign topic to the user
1 - As I have understood control A.7.1.2 requires mandatory documentation on both above with organization’s own employee.
I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)?
ISO 27001 does not prescribe mandatory documentation to cover the description of information security responsibilities, so you can adopt the document that best fits your needs (e.g., a contract, a service agreement, a job proposal, a code of conduct, etc.).
For further information, see:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
2 - I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us.
Are the regular IT system vendors part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements?
The supplier security policy is defined according to the results of your risk assessment and applicable legal requirements, and depending upon these elements they may have mandatory documents to write.
For example, if your risk assessment identifies that these vendors need to comply with control A.9.1.1 (Access control policy), then they have to document such policy.
This article will provide you a further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Jun 29, 2021