Question on Stakeholder Requirements for ISMS ISO 27001:2013
Assign topic to the user
1 - In the survey of Stakeholders for my ISMS, in what scenario may some suppliers have requirements that must be considered for the ISMS?
Are requirements that they must meet for my organization regarding Information security or are their requirements that my company must meet with them in aspects of Information security?
Currently my providers are:
Microsoft (Azure + Office 365)
Amazon (cloud services)
Google (Corporate email)
Zoom (Videoconference)
Spamexperts (SMTP Relay)
Turbo SMTP (SMTP Relay)
Sophos (Antivirus licenses)
A Provider of the data center of my private cloud
An Internet access Provider in my physical Office.
A Software Development Provider.
A Provider of maintenance and support of User equipment
A maintenance and support provider for my virtual servers
A Provider that provides information security consulting services
With Microsoft, Google, Amazon, Zoom, Sophos, a contract is not managed, I simply buy and pay for the service online.
Please note that both situations can exist, i.e., there can be requirements set by you that the supplier needs to meet, and requirements set by the supplier that you need to meet (this is especially true when working with cloud services).
2 - Could you give me some examples of possible requirements these providers have regarding the ISMS that I want to implement?
A cloud provider can define a requirement that only a specific role in your organization is authorized to approve change requests in the infrastructure provided to you (e.g., only the IT Manager can approve such change requests.
Another example is that some cloud services providers require access control responsibilities to be shared between the provider and the organization (for example, the provider has responsibilities for setting systems parameters, while the organization has responsibilities for users’ access management).
3 - What considerations should I take into account regarding these suppliers in my ISMS?
To ensure proper security regarding suppliers, you need to consider the result of your risk assessment and applicable legal requirements you need to fulfill (for example, compliance with HIPAA and GDPR demands that security controls are also implemented by suppliers and their supply chains).
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Jun 03, 2022