2. ISO 27001:2013 has classified the Supplier Management into:
Clause A.15.1: Information Security in Supplier Relationships
Clause A.15.2: Supplier Management delivery Management
Supplier Management– ISMS Requirements
Software Outsourcing Companies in India
3. To ensure protection of the organization’s assets that is accessible by suppliers
Clause A.15.1: Information Security in Supplier Relationships
A.15.1.1 Information security policy for supplier relationships
A.15.1.2 Addressing security within supplier agreements
A.15.1.3 Information and communication technology supply chain
Software Outsourcing Companies in India
4. A.15.1.1 Information security policy for supplier
relationships
• Information security requirements for mitigating the risks associated with supplier’s access to the
organization’s assets shall be agreed with the supplier and document.
Software Outsourcing Companies in India
5. Definitions of data ownership and disposition throughout service lifecycle
The organization's data classification requirements as it applies to the supplier
Definition of acceptable uses for the data handled by the supplier
Processes and procedures for monitoring compliance with the contract requirements
A "right to audit" the supplier or regular access to external assessments
Conflict and defect resolution
Required screening, training or other obligations of the suppliers' staff
A.15.1.2 Addressing security within supplier agreements
• All relevant information security requirements shall be established and agreed with each supplier
that may access, process, store, communicate, or provide Infrastructure components for, the
organization's information.
Software Outsourcing Companies in India
6. There should be a process to identify a product or service that has a critical capability, and require increased
scrutiny.
The ability to trace origins and compliance with security requirements is integral in ensuring both integrity and
availability.
The organization should address the risks of a component or service becoming unavailable or no longer supported.
A.15.1.3 Information and communication technology supply
chain
• Agreements with suppliers shall include requirements to address the information security risks
associated with information and communications technology services and product supply chain
Software Outsourcing Companies in India
7. To maintain an agreed level of information security and service delivery in line with
suppliers agreements
Clause A.15.2: Supplier Service Delivery Management
A.15.2.1 Monitoring and review supplier services
A.15.2.2 Managing changes to supplier services
Software Outsourcing Companies in India
8. Conduct audits of suppliers in conjunction with outside assessments
Require the supplier to promptly notify regarding security incidents
Provide regular audit trails and records for security events
Have a conflict resolution process that can be invoked if requirements are not met
A.15.2.1 Monitoring and review supplier services
• Organizations shall regularly monitor, review and audit supplier service delivery
Software Outsourcing Companies in India
9. Change of subcontractor
Service enhancements
Bug fixes
Use of new technology
New development tools
Enhanced security measures
Change of physical sites
A.15.2.2 Managing changes to supplier services
• Changes to the provision of services by suppliers, including maintaining and improving existing information security
policies, procedures and controls, shall be managed, taking into account the criticality of business information, systems
and processes involved and re-assessment of risks.
Software Outsourcing Companies in India
10. Visit our websites :
http://www.ifour-consultancy.com
http://www.ifourtechnolab.com
References :
https://spaces.internet2.edu/display/2014infosecurityguide/Supplier+Relationships
For more details :
Software Outsourcing Companies in India