Expert Advice Community

Guest

Supplier Security Program (Annex A 15 Supplier Relationships)

  Quote
Guest
Guest user Created:   Jun 04, 2020 Last commented:   Jun 04, 2020

Supplier Security Program (Annex A 15 Supplier Relationships)

I am a little unclear on what the scope of the supplier management program should include. I am well informed of the risk based approach for vetting and ongoing oversight and management, but I am wondering if the control only extends to suppliers where agreements are maintained or if it extends to any and all vendors that provide products and services to my organization (e.g., Adobe, Open Source Tools, etc.). For instance, we use software where we simply accept the terms of use like Adobe or video editing software. Obviously, we would not treat all vendors the same in terms of vetting and ongoing reviews, but we are not clear on whether we still need to include every single third party on our vendor spreadsheet with their classification, or if the list should only include those that we have classified as high risk or critical.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 04, 2020

Besides those classified as high risk or critical, for the identification of these suppliers you must consider:

  • the ISMS scope, i.e., the suppliers that can affect the information you want to protect
  • the legal requirements (e.g., laws, regulations and contract) you must comply to (for example, a contractual clause with a customer may require a specific supplier or suppliers to be included in the program)

If a supplier does not fall in one of the above-mentioned situations, then you do not need to include it in your supplier management program related to information security.

This article will provide you a further explanation about supplier management:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 04, 2020

Jun 04, 2020