Guest user Created: Jun 29, 2021 Last commented: Jun 29, 2021

Question about A.7.1.2

I have questions about these controls A.7.1.2. and A.15.1. (both are identified as applicable in our Statement of Applicability): A.7.1.2 Terms and conditions of employment / Confidentiality Statement and Statement of Acceptance of ISMS Documents. As I have understand control A.7.1.2 requires mandatory documentation on both above with organization’s own employee. I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)? I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us. Are the regular IT system vendor part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements? Thank you for your answers.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 29, 2021

1 - As I have understood control A.7.1.2 requires mandatory documentation on both above with organization’s own employee.

I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)?

ISO 27001 does not prescribe mandatory documentation to cover the description of information security responsibilities, so you can adopt the document that best fits your needs (e.g., a contract, a service agreement, a job proposal, a code of conduct, etc.).

For further information, see:

What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2 - I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us.

Are the regular IT system vendors part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements?

The supplier security policy is defined according to the results of your risk assessment and applicable legal requirements, and depending upon these elements they may have mandatory documents to write.

For example, if your risk assessment identifies that these vendors need to comply with control A.9.1.1 (Access control policy), then they have to document such policy.

This article will provide you a further explanation about supplier security:

6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Quote

0 1

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 29, 2021

Expert Advice Community