Requirements for MSP Company Regarding Supplier Security Policy
What requirements are there for an "MSP* - managed service provider" type of a company regarding Supplier Security Policy and Security Clauses for Suppliers and Partners? I am curious about the data exchange, as the only data exchanged was in the data servers and we are not sure if there is anything necessary for us to do in that regard.
* managed service provider (MSP) is a third-party company that remotely manages a customer's information technology (IT) infrastructure and end-user systems.
Assign topic to the user
ISO 27001 does not specify security requirements for particular companies or industries - instead, security requirements are defined by each company based on risk assessment and third-party requirements.
Considering that, you need to perform a risk assessment considering the exchanged data to identify if you have any relevant risks that the MSP needs to handle (e.g., data loss due to a disaster), as well as any legal requirements you have to enforce into this MSP (e.g., a regulation that enforces your organization to ensure suppliers to protect the information they handle in organization’s name).
The common scenario is the definition of information security clauses in SLAs or contracts signed with such MSPs.
These articles will provide you with further explanation:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
Can you direct me to the area where the IS27001 approved accessor are?
I’m assuming you are looking for accredited certification bodies.
Considering that, please note that there is no central list of ISO 27001 certification bodies site. The main certification bodies for ISO 27001 are:
- BSI: https://www.bsigroup.com
- Bureau Veritas: https://www.dnvgl.com/
- DNV: https://www.dnvgl.com/services?ServiceTypes=136423
- SGS: www.sgs.com/
- TUV: www.tuv.com
This article will provide you with further explanation about selecting a certification body:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Comment as guest or Sign in
Aug 24, 2022