Process for detecting and reporting security breaches related to the supply chain

Critical
High
Normal
Low

The organization shall define the procedures for reporting security breaches in the supply chain. The process must take into account all kinds of roles in the supply chain, whether we are the customer of the end product or one supplier in the chain.

Policies shall take into account agreements with partners and customers and their commitments regarding the reporting obligations of both parties.

Connected other frameworks and requirements:
A.10.1: Notification of a data breach involving PII
ISO 27018
DE.CM-6: External service provider activity monitoring
NIST CSF
5.23: Information security for use of cloud services
ISO 27001

Process for monitoring and tracking outsourced development work

Critical
High
Normal
Low

Even when development is outsourced, we remain responsible for complying with appropriate laws and verifying the effectiveness of security controls.

We have defined the procedures that we monitor and follow throughout the outsourcing chain.Practices may include e.g. the following things:

  • policies for reviewing and approving generated code
  • evidence of testing activities performed by the partner
  • communication practices
  • contractual rights to audit the development process and management tools
  • documentation requirements for code generation
Connected other frameworks and requirements:
14.2.7: Outsourced development
ISO 27001
DE.CM-6: External service provider activity monitoring
NIST CSF
8.30: Outsourced development
ISO 27001
8.28: Secure coding
ISO 27001
No items found.