I am curious to get some input in regards to how you manage Suppliers of critical systems. At the moment I am struggling with deciding wheater we should consider all providers of citical systems also as a critical supplier and handle them in our supplier handling process. All critical systems are handled, risk assessed etc. according to our Asset management process. But I now ask myself if it is neccessary to also have all of them inserted as critical supplier and go through all the administrative work related to that.
example: we use Hubspot and this has been evaluated as a critical system. It is included in our system asset register, has gone though a comprehensive system review and we have the relevant contracts/agreements in the contract database. Would you also add Hubspot in the supplier register as a critical supplier? Which means that we will also evaluate the supplier on a regular basis etc.
Another aspect to this is that for systems that we "purchase" via a supplier.. then we don't have the actual provider of the system registered as a supplier but the partner that the system provider is using.
I would love to hear your thughts on this.
Assign topic to the user
Please note that ISO 27001 approach for supplier security is through risk management and identification of applicable legal requirements (e.g., laws, regulations, and contracts). ISO 27001 does not use the concept of “critical supplier”.
Considering that, for each supplier, based on the results of risk assessment and applicable legal requirements, you must apply proportional security controls – i.e., the more risks, the more security controls will be required. Such controls may involve the implementation of controls on your own company and/or the enforcement of controls over suppliers by means of contracts or service agreements.
For example, in case of the HubSpot, in case related risks are considered too high, you should certainly address those through your own controls (e.g., backup, approval of access, etc.), and through agreements with HubSpot (if possible).
These articles will provide you with further explanation:
- Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
May 17, 2023