Content library
ISO 27001 (2013): Full
15.1.1: Information security policy for supplier relationships

How to fill the requirement

ISO 27001 (2013): Full

15.1.1: Information security policy for supplier relationships

Task name
Priority
Status
Theme
Policy
Other requirements
Data processing partner listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
34
requirements

Task is fulfilling also these other security requirements

28. Data processor
GDPR
44. General principle for transfers
GDPR
26. Joint controllers
GDPR
15.1.1: Information security policy for supplier relationships
ISO27 Full
8.1.1: Inventory of assets
ISO27 Full
1. Task description

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Defining supplier types that can access confidential data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
5
requirements

Task is fulfilling also these other security requirements

15.1.1: Information security policy for supplier relationships
ISO27 Full
ID.BE-1: Role in supply chain
NIST
5.19: Information security in supplier relationships
ISO27k1 Full
6.1.1: Partner Information security
TISAX
1. Task description

We define in advance the types of suppliers with whom cooperation requires access to confidential information or their processing areas, and through this e.g. demands data processing contracts. Such supplier types can be, for example, IT services, logistics, financial management and IT infrastructure components.

Criteria for high priority partners
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
16
requirements

Task is fulfilling also these other security requirements

15.1.1: Information security policy for supplier relationships
ISO27 Full
ID.BE-1: Role in supply chain
NIST
ID.SC-4: Audit suppliers and third-party partners
NIST
TSU-04: Henkilötietojen käsittelijä
Julkri
5.19: Information security in supplier relationships
ISO27k1 Full
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Minimum requirements for partner companies to gain access to different levels of information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
7
requirements

Task is fulfilling also these other security requirements

15.1.1: Information security policy for supplier relationships
ISO27 Full
15.1.3: Information and communication technology supply chain
ISO27 Full
ID.BE-1: Role in supply chain
NIST
5.21: Managing information security in the ICT supply chain
ISO27k1 Full
6.5: Tietojärjestelmien perustiedot, kuvaukset ja olennaisten vaatimusten täyttyminen
Tietoturvasuunnitelma
1. Task description

Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.

It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.

Monitoring suppliers' compliance with security requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
23
requirements

Task is fulfilling also these other security requirements

32. Security of processing
GDPR
15.1.1: Information security policy for supplier relationships
ISO27 Full
15.2.1: Monitoring and review of supplier services
ISO27 Full
ID.GV-2: Cybersecurity role coordination
NIST
ID.SC-1: Cyber supply chain
NIST
1. Task description

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

  • monitoring the promised service level
  • reviewing supplier reports and arranging follow-up meetings
  • regular organization of independent audits
  • follow-up of problems identified in audits
  • more detailed investigation of security incidents and review of related documentation
  • review of the supplier's future plans (related to maintaining the service level)
Criteria for suppliers of high priority data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
16
requirements

Task is fulfilling also these other security requirements

15.1.1: Information security policy for supplier relationships
ISO27 Full
14.1.1: Information security requirements analysis and specification
ISO27 Full
15.2.1: Monitoring and review of supplier services
ISO27 Full
ID.SC-1: Cyber supply chain
NIST
ID.SC-4: Audit suppliers and third-party partners
NIST
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

No items found.