Expert Advice Community

Guest

Question on Stakeholder Requirements for ISMS ISO 27001:2013

  Quote
Guest
Guest user Created:   Jun 03, 2022 Last commented:   Jun 03, 2022

Question on Stakeholder Requirements for ISMS ISO 27001:2013

1 - In the survey of Stakeholders for my ISMS, in what scenario may some suppliers have requirements that must be considered for the ISMS? Are requirements that they must meet for my organization regarding Information security or are their requirements that my company must meet with them in aspects of Information security? Currently my providers are: Microsoft (Azure + Office 365) Amazon (cloud services) Google (Corporate email) Zoom (Videoconference) Spamexperts (SMTP Relay) Turbo SMTP (SMTP Relay) Sophos (Antivirus licenses) A Provider of the data center of my private cloud An Internet access Provider in my physical Office. A Software Development Provider. A Provider of maintenance and support of User equipment A maintenance and support provider for my virtual servers A Provider that provides information security consulting services With Microsoft, Google, Amazon, Zoom, Sophos, a contract is not managed, I simply buy and pay for the service online. 2 - Could you give me some examples of possible requirements these providers have regarding the ISMS that I want to implement? 3 - What considerations should I take into account regarding these suppliers in my ISMS?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 03, 2022

1 - In the survey of Stakeholders for my ISMS, in what scenario may some suppliers have requirements that must be considered for the ISMS?

Are requirements that they must meet for my organization regarding Information security or are their requirements that my company must meet with them in aspects of Information security?

Currently my providers are:

Microsoft (Azure + Office 365)

Amazon (cloud services)

Google (Corporate email)

Zoom (Videoconference)

Spamexperts (SMTP Relay)

Turbo SMTP (SMTP Relay)

Sophos (Antivirus licenses)

A Provider of the data center of my private cloud

An Internet access Provider in my physical Office.

A Software Development Provider.

A Provider of maintenance and support of User equipment

A maintenance and support provider for my virtual servers

A Provider that provides information security consulting services

With Microsoft, Google, Amazon, Zoom, Sophos, a contract is not managed, I simply buy and pay for the service online.

Please note that both situations can exist, i.e., there can be requirements set by you that the supplier needs to meet, and requirements set by the supplier that you need to meet (this is especially true when working with cloud services).

2 - Could you give me some examples of possible requirements these providers have regarding the ISMS that I want to implement?

A cloud provider can define a requirement that only a specific role in your organization is authorized to approve change requests in the infrastructure provided to you (e.g., only the IT Manager can approve such change requests.

 

Another example is that some cloud services providers require access control responsibilities to be shared between the provider and the organization (for example, the provider has responsibilities for setting systems parameters, while the organization has responsibilities for users’ access management). 

3 - What considerations should I take into account regarding these suppliers in my ISMS?

To ensure proper security regarding suppliers, you need to consider the result of your risk assessment and applicable legal requirements you need to fulfill (for example, compliance with HIPAA and GDPR demands that security controls are also implemented by suppliers and their supply chains).

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 03, 2022

Jun 03, 2022