Expert Advice Community

Guest

Question about A.7.1.2

  Quote
Guest
Guest user Created:   Jun 29, 2021 Last commented:   Jun 29, 2021

Question about A.7.1.2

I have questions about these controls A.7.1.2. and A.15.1. (both are identified as applicable in our Statement of Applicability): A.7.1.2 Terms and conditions of employment / Confidentiality Statement and Statement of Acceptance of ISMS Documents. As I have understand control A.7.1.2 requires mandatory documentation on both above with organization’s own employee. I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)? I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us. Are the regular IT system vendor part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements? Thank you for your answers.
0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 29, 2021

1 - As I have understood control A.7.1.2 requires mandatory documentation on both above with organization’s own employee.

I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)?

ISO 27001 does not prescribe mandatory documentation to cover the description of information security responsibilities, so you can adopt the document that best fits your needs (e.g., a contract, a service agreement, a job proposal, a code of conduct, etc.).

For further information, see:

2 - I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us.

Are the regular IT system vendors part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements?

The supplier security policy is defined according to the results of your risk assessment and applicable legal requirements, and depending upon these elements they may have mandatory documents to write.

For example, if your risk assessment identifies that these vendors need to comply with control A.9.1.1 (Access control policy), then they have to document such policy.

This article will provide you a further explanation about supplier security:

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jun 29, 2021

Jun 29, 2021

Suggested Topics

Guest user Created:   Apr 13, 2019 ISO 27001 & 22301
Replies: 1
0 0

Elaborating a security policy

Guest user Created:   Jul 20, 2021 ISO 27001 & 22301
Replies: 1
0 0

Question about BIA form

Guest user Created:   Jul 16, 2021 ISO 27001 & 22301
Replies: 1
0 0

Question on ISO 27001