Supplier Security Policy
I am currently reading over the Supplier Security Policy and wanted to check something. Under the "Monitoring and review" section, it mentions auditing the supplier or auditor once a year. What exactly is meant by this? And is it required?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I’m assuming you are referring to the text “, as well as audit the supplier or partner at least once a year.” in section 3.5 of the Supplier Security Policy.
Considering that this text means that, as you need to audit your processes, you also need to audit suppliers and partners to ensure they have implemented the security controls you agreed with them, and if the controls are performing properly.
Please note that such audits are required only if control A.15.2.1 - Monitoring and review of supplier services is stated as applicable in the Statement of Applicability.
Additionally, there are different types of audits, some more thorough (e.g., a comprehensive local audit), others simpler (e.g., verification of applied security clauses), and you should consider criteria such as the criticality of the supplier, results of previous audits and incidents history to decide which audit approach to apply.
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
Comment as guest or Sign in
Sep 01, 2022