ISO 27001 Information Security Management Standard - Clause A.15

Posted by Craig Thornton

Part 34 - A15 Supplier Relationships 

Having mutually beneficial supplier relationships is one of the key basics of running any management system.  I have previously written about this in my ISO 9001 certification series here.  I also wrote about it here and here.

As I said at the time; “Too few organisations make supplier management a priority, but the ones that do reap impressive rewards.  Risk is reduced because communication is open and two-way – which means you are much less likely to be caught unawares.”

So for ISO 27001 there is no difference to those principles.

However, Annex A.15 of ISO 27001 takes this a step further and targets some specific areas.

Firstly it looks at Information security in supplier relationships.


supplier-relationship-management

 

A.15.1 Information Security in Supplier Relationships

The objective of this clause is to ensure you protect your organisation’s assets that are accessible by suppliers.

The process for this is to:

  1. Review all your assets you are managing as part of A8. Asset Management (see here).
  2. Check that controls for mitigating the risks associated with your supplier’s access to those assets are agreed with the supplier
  3. Document those agreements.

Here at Mango we documented those supplier interactions and risks and discussed them with the supplier’s management. We then documented those into our supplier agreements.  The areas covered the following:

  • Supplier access
  • Processing facilities
  • Storage
  • Communication
  • IT infrastructure components

Next up is supplier service delivery management. 

A.15.2 Supplier Service and Delivery Management

The objective here is to maintain your agreed level of information security and service delivery in line with your supplier agreements.

This is closely related to the A.15.1 above.

First up you need to regularly monitor, review and audit supplier service to your business.

Here at Mango monitor performance monthly in our Management Review. We then review and audit the suppliers annually.  We have an audit checklist in Mango to do this.

Secondly you need to manage the changes to services by your suppliers.  This includes maintaining and improving information security policies, procedures and controls.  You need to take into account the criticality of business information, systems and processes involved and re-assessment of risks.

Here at Mango we use our improvement module to manage changes to the provision of service. We check the risks involved and seek signoff along the process.

 

Takeaways

  1. Seek to have a mutually beneficial relationship with all your critical suppliers.
  2. Review all your assets and how your suppliers access and interact with them.
  3. Check that the controls are agreed with the supplier.
  4. Document those into agreements with the supplier.
  5. Monitor and review your supplier’s performance against those agreements.
  6. Make sure you effectively manage changes with your suppliers.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clause A5

Part 25 - ISO 27001 Information Security Management Standard: Clause A6

Part 26 - ISO 27001 Information Security Management Standard: Clause A7

Part 27 - ISO 27001 Information Security Management Standard: Clause A8

Part 28 - ISO 27001 Information Security Management Standard: Clause A9

Part 29 - ISO 27001 Information Security Management Standard: Clause A10

Part 30 - ISO 27001 Information Security Management Standard: Clause A11

Part 31 - ISO 27001 Information Security Management Standard: Clause A12 

Part 32 - ISO 27001 Information Security Management Standard: Clause A13

Part 33 - ISO 27001 Information Security Management Standard: Clause A14

Tags: ISO 27001, information security, ISO 27001 Certification