Expert Advice Community

Guest

Supplier Security Policy

  Quote
Guest
EL Created:   Mar 13, 2023 Last commented:   Mar 15, 2023

Supplier Security Policy

In relation to the Supplier security policy, 

1) is it necessary to perform an audit to cloud-based providers (e.g. Egnyte (files), Xero (finance data), Confluence (knowledge-based)) that are already in compliance/certified with many industry regulatory standards?. They are high-risk because of the type of information we're keeping in them, but again, these are already big established companies.

2) the same question as number 1 but for service providers (power, internet, telecommunications)

3) same question as number 1 but for professional outsourcing services such as legal, accounting, etc

 

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 15, 2023

1) is it necessary to perform an audit to cloud-based providers (e.g. Egnyte (files), Xero (finance data), Confluence (knowledge-based)) that are already in compliance/certified with many industry regulatory standards?. They are high-risk because of the type of information we're keeping in them, but again, these are already big established companies.

The need to perform audits on cloud-based providers that are already in compliance/certified will depend on the results of your risk assessment and applicable legal requirements. For example, you may have a contract with a client that specifies that your company needs to perform the audit, regardless of the provider certifications.

What generally happens is that performing an audit of suppliers is not mandatory - very often companies choose to use vendors for high-risk applications without doing the audit because they trust their reputation and their certifications (e.g., Google Gmail, Amazon AWS, etc.). In other cases, it is sufficient to evaluate the audit report of the providers’ certification bodies.

For further information, see:

2) the same question as number 1 but for service providers (power, internet, telecommunications)

The same concept from answer 1 applies to service providers.

3) same question as number 1 but for professional outsourcing services such as legal, accounting, etc

The same concept from answer 1 applies to professional outsourcing services.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 13, 2023

Mar 15, 2023