Expert Advice Community

Guest

Supplier Security Policy

  Quote
Guest
Guest user Created:   Sep 01, 2022 Last commented:   Sep 01, 2022

Supplier Security Policy

I am currently reading over the Supplier Security Policy and wanted to check something. Under the "Monitoring and review" section, it mentions auditing the supplier or auditor once a year. What exactly is meant by this? And is it required?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 01, 2022

I’m assuming you are referring to the text “, as well as audit the supplier or partner at least once a year.” in section 3.5 of the Supplier Security Policy.

Considering that this text means that, as you need to audit your processes, you also need to audit suppliers and partners to ensure they have implemented the security controls you agreed with them, and if the controls are performing properly.

Please note that such audits are required only if control A.15.2.1 - Monitoring and review of supplier services is stated as applicable in the Statement of Applicability.

Additionally, there are different types of audits, some more thorough (e.g., a comprehensive local audit), others simpler (e.g., verification of applied security clauses), and you should consider criteria such as the criticality of the supplier, results of previous audits and incidents history to decide which audit approach to apply.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 01, 2022

Sep 01, 2022

Suggested Topics