According to the ISO 270001 recommendations (Annex A.15.1) information security in supplier relationships is an important part of the information security management system (ISMS). The objective of those recommendations is to protect an organisation’s valuable assets that are accessible to or affected by suppliers or partners.
Indeed, it is a common practice that organisations outsource some services to specialised providers/suppliers. This is mainly because the organisation do not want to do the work internally, or the organisation can’t easily do the work as well or as cost effectively as the suppliers.
However, when services are outsourced, it is important that the organisation and the supplier agree on information security terms such as NDA or Supplier Security agreement. Generally, organisation set up a Supplier Security Policy and standard agreements that are used for each new supplier. However, it is important that each case is studied before signing the general agreement as each supplier relation is different.
Generally a proper supplier security policy will consider the organisation’s operational requirements and identify the sensitive assets that the supplier will have access to or control. For example, a web design agency usually have access to the website of its clients and have a certain control on it. It is essential that the organisation hiring the service of the web agency sets limits and defines the responsibilities of the web agency in case of breach of information.
In other words, a good policy will set the supplier segmentation, selection, management, exit, how information assets around suppliers are controlled in order to minimise the associated risks. This will of course enable the organisation to reach its goals and objectives. A proper policy will also include appropriate conditions for future changes in order to adapt with the evolving environment.
Here below are some crucial points of that a supplier security policy should cover:
· Addressing Security Within Supplier Agreements
· Information & Communication Technology Supply Chain
· Monitoring & Review of Supplier Services
· Managing Changes to Supplier Services
If you would like to set up a supplier security policy for your organisation, Ascentrix Consulting can help you on this mission. Contact us for a free consultation.