Supplier Policy for Suppliers and Partners
- Do we need to make a Supplier Policy based on the attached Points listed in the A.15.2 Document? If yes, do we have to get it done through aLegal representative of the Company?
- Can you also give an overview of for what Suppliers will this Policy be made? For e.g. The Computer manufacturer providing the laptops and Accessories to the Company or External Companies with whom the Organization is working together.
- Is it mandatory to have a Supplier Security Policy?
Assign topic to the user
Please find my answers below:
Do we need to make a Supplier Policy based on the attached Points listed in the A.15.2 Document? If yes, do we have to get it done through aLegal representative of the Company?
Answer: Supplier Security Policy that is included in your ISO 27001 Documentation Toolkit (folder 08 Annex A - A.15 Supplier relationships) is stand-alone document, it is not made based on the Security Clauses for Suppliers and Partners.
Can you also give an overview of for what Suppliers will this Policy be made? For e.g. The Computer manufacturer providing the laptops and Accessories to the Company or External Companies with whom the Organization is working together.
Answer: When you open the Supplier Security Policy, you will see in the introduction the following text: "...This document is applied to all suppliers and partners who have the ability to influence confidentiality, integrity and availability of organization name's sensitive information."
Therefore, if your risk assessment says that there are some security risks related to your supplier or partner, then this policy needs to be applied. Most likely these would be providers of cloud services, providers of consulting services, etc.
Is it mandatory to have a Supplier Security Policy?
Answer: Supplier Security Policy is not a mandatory document, it is up to you to decide whether it is useful for your company or not. However it is mandatory to document security clauses with your suppliers - this is usually done through an agreement.
Dear Mentor,
Thanks for the reply..we have some cloud Suppliers so in such case do we require any specefic Audit checklist for them or only the Supplier Security Policy will do.
In case we have have to do some specefic check with Supplier, then do you recommend any Cloud Supplier checklist?
Thanks
First is important to note that, for a more productive audit, besides the Supplier Security Policy, you also should use an audit checklist, and for that, you have an audit checklist included in your toolkit (on folder 10 Internal Audit).
Considering that, if you do not have any legal obligation (e.g., laws or contracts), or risks, demanding specific cloud controls to be implemented by your cloud suppliers, then the internal audit checklist included in your toolkit will be sufficient.
Comment as guest or Sign in
Jan 09, 2020