SLA and ISO 27001
Assign topic to the user
Answer: Yes. ISO 27001 Annex A.15 (supplier relationships) covers controls regarding on what to include in agreement's and how to monitor suppliers.
Regarding templates, ISO 27001 Toolkit has a supporting document to help elaborate SLAs, the Security Clauses for suppliers and partners document (you can find it in folder 08 - Annex A, subfolder A.15 - Supplier Relationships, in your toolkit), but I also suggest you to take a look at this free demo from 20000Academy to see if it can fulfils your needs:
- Service Level Agreement https://advisera.com/20000academy/documentation/sla/
You just have to scroll down the screen a little to find the free demo tab.
This article will provide you further explanation about relationship with suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-su pplier-security-according-to-iso-27001/
These materials will also help you regarding relationship with suppliers:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
A15 is about suppliers. I need to know about Customers please or do they fall under the same Annex A.15? Thanks again
You can use the same logic, but backwards, that is, instead of you being a customer demanding security conditions from a supplier, your clauses would be about the security conditions you, as a provider, is offering to a customer.
For example, in a clause about backup, as a client demanding from the provider you would include a clause like "provider should ensure backup copies are made of all information classified information and handled according their respective classification". As a provider offering this service for a client you would have a clause something like "as service provider, we will provide to customer backup copies from all his information stated by him as sensitive information, handling them according their respective classification"
To better prepare SLAs for Customers, you could check ISO 27001 clause 4.2 (Understanding the needs and expectations of interested parties) and control A.18.1.1 (Identification of applicable legislation and contractual requirements), so you can have a better understanding on the rationale a potential customer can use to id entify his security needs.
This article will provide you further explanation about interested parties requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding interested parties requirements identification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 13, 2017