ISO 27001:2013 A.

15 Supplier relationships
isoconsultantkuwait.com/2019/12/22/a-15-supplier-relationships

December 22, 2019

External suppliers are a vital component of business operations. Suppliers may have
access to a wide range of information from the supported organization. Once shared with
a supplier, direct control of this information is lost, regardless of sensitivity or value. As a
result, appropriate technical and contractual controls and mitigation processes must be
established with all external suppliers. One essential control would be to ensure the
existence of a data-sharing agreement that clearly delineates roles and responsibilities.
Some data privacy regulations may have specific data sharing requirements that must be
met. The contracting organization should understand that the management of external
providers is a lifecycle. Part of this cycle is a process to monitor and continuously assess
provider performance and compliance. A variety of tools may be used to assess and
validate external supplier data protection practices. In almost all cases, some mitigation
will be contractual and requires extensive documentation. In addition to protecting
information handled and used by external suppliers, the organization must also assess
service availability. If business-critical data or functions are supported by an external
entity, then the provider’s disaster recovery processes are integral to the recovery
processes of the hiring entity. Agreements regarding the return of data in the event of
contract termination or unexpected closure should also be considered within the lifecycle.
Annex A.15.1 is about information security in supplier relationships. The objective here is
the protection of the organization’s valuable assets that are accessible to or affected by
suppliers. The organization must also consider other key relationships here too, for
example, partners if they are not suppliers but also have an impact on your assets that
might not simply be covered by a contract alone. This is an important part of the
information security management system (ISMS) especially. Let’s understand those
requirements and what they mean in a bit more depth now. The contracting organization
should understand that the management of external providers is a lifecycle. Part of this
cycle is a process to monitor and continuously assess provider performance and
compliance. A variety of tools may be used to assess and validate external supplier data
protection practices. In almost all cases, some mitigation will be contractual and requires
extensive documentation. In addition to protecting information handled and used by
external suppliers, the organization must also assess service availability. If business-

1/13
critical data or functions are supported by an external entity, then the provider’s disaster
recovery processes are integral to the recovery processes of the hiring entity. Agreements
regarding the return of data in the event of contract termination or unexpected closure
should also be considered within the lifecycle.

A.15.1 Information security in supplier relationships

Objective:

To ensure the protection of the organization’s assets that are accessible by suppliers.

A. 15.1.1 Information security policy for supplier relationships

Control
Information security requirements for mitigating the risks associated with the supplier’s
access to the organization’s assets should be agreed upon with the supplier and
documented.

Implementation guidance

The organization should identify and mandate information security controls to

specifically address supplier access to the organization’s information in the policy. These
controls should address processes and procedures to be implemented by the
organization, as well as those processes and procedures that the organization should
require the supplier to implement, including:
a) identifying and documenting the types of suppliers, e.g. IT services, logistics utilities,
financial services, IT infrastructure components, whom the organization will allow to
access its information;
b) a standardized process and lifecycle for managing supplier relationships;
c) defining the types of information access that different types of suppliers will be allowed,
and monitoring and controlling the access;
d) minimum information security requirements for each type of information and type of
access to serve as the basis for individual supplier agreements based on the organization’s
business needs and requirements and its risk profile;
e) processes and procedures for monitoring adherence to established information security
requirements for each type of supplier and type of access, including third-party review
and product validation;
f) accuracy and completeness controls to ensure the integrity of the information or
information processing provided by either party;
g) types of obligations applicable to suppliers to protect the organization’s information;
h) handling incidents and contingencies associated with supplier access including
responsibilities of both the organization and suppliers;
i) resilience and, if necessary, recovery and contingency arrangements to ensure the
availability of the information or information processing provided by either party;
j) awareness training for the organization’s personnel involved in acquisitions regarding
applicable policies, processes, and procedures;
k) awareness training for the organization’s personnel interacting with supplier personnel

2/13
regarding appropriate rules of engagement and behavior based on the type of supplier and
the level of supplier access to the organization’s systems and information;
l) conditions under which information security requirements and controls will be
documented in an agreement signed by both parties;
m) managing the necessary transitions of information, information processing facilities,
and anything else that needs to be moved, and ensuring that information security is
maintained throughout the transition period.

Other information

Information can be put at risk by suppliers with inadequate information security

management. Controls should be identified and applied to administer supplier access to
information processing facilities. For example, if there is a special need for
confidentiality of the information, non-disclosure agreements can be used. Another
example is data protection risks when the supplier agreement involves the transfer of, or
access to, information across borders. The organization needs to be aware that the legal
or contractual responsibility for protecting information remains with the organization.

Suppliers are used for two main reasons; one: you want them to do work that you have
chosen not to do internally yourself, or; two: you can’t easily do the work as well or as
cost-effectively as the suppliers. The organization should identify and require information
security controls that specifically address external parties (contractors, service providers)
gaining authorized access to the organization’s information in the policy. The controls
should also specify processes and procedures that should be followed, either when third-
party contractors work within the organization or when there are service provider/hosting
arrangements. Suppliers should be managed throughout the lifecycle of a relationship
with them–from initially reviewing their contracts and security methods to monitoring
their SLAs and performance agreements once they are engaged to perform services
and/or provide solutions. Access control, especially for sensitive information must be
accurately defined, managed, and monitored. Awareness training for both the
organization’s staff and supplier staff that handle or interact with this data must be
addressed. Finally, service transitions should be documented and include procedures for
secure data transfers and availability as the relationship changes during the lifecycle.
Many (but not all) supplier relationships will involve cloud computing services and
processes, which should be carefully considered as a part of Supplier Relationship
Management. One essential control that the organization can implement is the
development of a checklist to assess contractual cloud service providers. If regulated
and/or sensitive data is being put out in the cloud, then the organization should consider
obtaining formal written assurances from cloud service providers, including the regular
submission of independent assessments and/or audits. The organization should always
consider asking these cloud service providers for a copy of a report which focuses strictly
on reviewing controls related to the confidentiality, integrity, and availability of
information and systems. The organization has seen a move from consumer-level
adoption of cloud services to enterprise deployment of full-scale cloud storage and
collaboration platforms. Enterprise services can now offer the convenience of cloud
storage and collaboration services with single sign-on through the organization’s identity

3/13
management system, integration with other services, and contractual assurances of
privacy, security, and uptime. The deployment of enterprise cloud storage and
collaboration services has introduced new opportunities for how documents are
conceived, completed, and submitted. This technology provides the opportunity for
employees to bring their work wherever they go, access it instantly, and collaborate with
colleagues in a private and secure digital environment.

There are many important things to consider in the approach to supplier selection and
management but one size does not fit all and some suppliers will be more important than
others. As such your controls and policies should reflect that too and segmentation of the
supply chain is sensible; we advocate four categories of the supplier based on the value
and risk in the relationship. These range from those who are business-critical to other
vendors who have no material impact on your organization. Some suppliers are also more
powerful than their customers (imagine telling Amazon what to do if you are using their
AWS services for hosting) so it’s pointless having controls and policies in place that the
suppliers will not adhere to. Therefore reliance on their standard policies, controls, and
agreements is more likely – meaning the supplier selection and risk management
becomes even more important. In order to take a more forward approach to information
security in the supply chain with the more strategic (high value / higher risk) suppliers,
organizations should also avoid binary ‘comply or die’ risk transferring practices e.g.
awful contracts preventing good collaboration. Instead, we recommend they develop more
close working relationships with those suppliers where thigh value information and assets
are at risk, or they are adding to your information assets in some (positive) way. This is
likely to lead to improved working relationships, and therefore deliver better business
results too. A good policy describes the supplier segmentation, selection, management,
exit, how information assets around suppliers are controlled in order to mitigate the
associated risks, yet still enable the business goals and objectives to be achieved. Smart
organizations will wrap their information security policy for suppliers into a broader
relationship framework and avoid just concentrating on security per se, looking to the
other aspects as well. An organization may want suppliers to access and contribute to
certain high-value information assets (e.g. software code development, accounting payroll
information). They would therefore need to have clear agreements of exactly what access
they are allowing them, so they can control the security around it. This is especially
important with more and more information management, processing, and technology
services being outsourced. That means having a place to show management of the
relationship is happening; contracts, contacts, incidents, relationship activity, and risk
management, etc. Where the supplier is also intimately involved in the organization, but
may not have its own certified ISMS, then ensuring the supplier staff is educated and
aware of security, trained on your policies, etc. is also worth demonstrating compliance
around.

15.1.2 Addressing security within supplier agreements

Control

4/13
All relevant information security requirements should be established and agreed upon
with each supplier that may access, process, store, communicate, or provide IT
infrastructure components for, the organization’s information.
Implementation guidance
Supplier agreements should be established and documented to ensure that there is no
misunderstanding between the organization and the supplier regarding both parties’
obligations to fulfill relevant information security requirements. The following terms
should be considered for inclusion in the agreements in order to satisfy the identified
information security requirements:
a) description of the information to be provided or accessed and methods of providing or
accessing the information;
b) classification of information according to the organization’s classification scheme if
necessary also mapping between the organization’s own classification scheme and the
classification scheme of the supplier;
c) legal and regulatory requirements, including data protection, intellectual property
rights and copyright, and a description of how it will be ensured that they are met;
d) obligation of each contractual party to implement an agreed set of controls including
access control, performance review, monitoring, reporting, and auditing;
e) rules of acceptable use of information, including unacceptable use if necessary;
f) either an explicit list of supplier personnel authorized to access or receive the
organization’s information or procedures or conditions for authorization and removal
of the authorization, for access to or receipt of the organization’s information by
supplier personnel;
g) information security policies relevant to the specific contract;
h) incident management requirements and procedures (especially notification and
collaboration during incident remediation);
i) training and awareness requirements for specific procedures and information
security requirements, e.g. for incident response, authorization procedures;
j) relevant regulations for sub-contracting, including the controls that need to be
implemented;
k) relevant agreement partners, including a contact person for information security
issues;
l) screening requirements, if any, for supplier’s personnel including responsibilities for
conducting the screening and notification procedures if screening has not been
completed or if the results give cause for doubt or concern;
m) right to audit the supplier processes and controls related to the agreement;
n) defect resolution and conflict resolution processes;
o) supplier’s obligation to periodically deliver an independent report on the effectiveness
of controls and agreement on timely correction of relevant issues raised in the report;
p) supplier’s obligations to comply with the organization’s security requirements.

Other information

The agreements can vary considerably for different organizations and among the
different types of suppliers. Therefore, care should be taken to include all relevant
information security risks and requirements. Supplier agreements may also involve

5/13
other parties (e.g. sub-suppliers). The procedures for continuing processing in the event
that the supplier becomes unable to supply its products or services need to be considered
in the agreement to avoid any delay in arranging replacement products or services.

An organization may want suppliers to access and contribute to certain high-value

information assets (e.g. software code development, accounting payroll information).
They would therefore need to have clear agreements of exactly what access they are
allowing them, so they can control the security around it. This is especially important with
more and more information management, processing, and technology services being
outsourced. That means having a place to show management of the relationship is
happening; contracts, contacts, incidents, relationship activity, and risk management, etc.
Where the supplier is also intimately involved in the organization, but may not have its
own certified ISMS, then ensuring the supplier staff is educated and aware of security,
trained on your policies, etc. is also worth demonstrating compliance around. Working
with suppliers that already meet the majority of your organization’s information security
needs for the services they provide to you and have a good track record of addressing
information security concerns responsibly is a very good idea – as it will make all of these
processes much easier. In simple terms, look for suppliers that already have achieved an
independent ISO 27001 certification or equivalent themselves. It is also important to
ensure that the suppliers are being kept informed and engaged with any changes to the
ISMS or specifically engaged around the parts that affect their services. Your auditor will
want to see this evidenced – so, by keeping a record of this in your supplier on-boarding
projects or annual reviews it will be easy to do so. Things to include in the supply scope
and agreements generally include the work and its scope; information at risk and
classification; legal and regulatory requirements e.g. adherence to GDPR and or other
applicable legislation; reporting and reviews; non-disclosure; IPR; incident management;
specific policies to comply with if important to the agreement; obligations on
subcontractors; screening on staff, etc. A good standard contract will deal with these
points but as above, sometimes it might not be required and could be way over the top for
the type of supply, or it might not be possible to force a supplier to follow your idea of
good practice. Be pragmatic and risk-centered in the approach.

Supplier agreements should be established and documented to ensure there is no

misunderstanding regarding both parties’ obligations to fulfill relevant security, legal,
and/or regulatory requirements. Organizations are increasingly using outsourced
services. While sensitive data processes and services might be outsourced, responsibility
for the associated risk remains with the organization. Supplier agreements should include
(as appropriate) clear and concise information regarding:

The types of data being accessed and methods of access

Definitions of data ownership and disposition throughout the service lifecycle
The organization’s data classification requirements as it applies to the supplier
Definition of acceptable uses for the data handled by the supplier
Establishment of security incident notification requirements
Processes and procedures for monitoring compliance with the contract
requirements

6/13
 A “right to audit” the supplier or regular access to external assessments
Conflict and defect resolution
The required screening, training or other obligations of the suppliers’ staff
The use of subcontractors to provide services and the extension of security
requirements to them.

It is important to address the risk early in the procurement phase of the relationship with
external parties so that roles, responsibilities, and expectations can be clearly defined in
agreements or contracts.

A.15.1.3 Information and communication technology supply chain

Control
Agreements with suppliers should include requirements to address the information
security risks associated with information and communications technology services and
product supply chains.
Implementation guidance
The following topics should be considered for inclusion in supplier agreements
concerning supply chain security:
a) defining information security requirements to apply to information and
communication technology product or service acquisition in addition to the general
information security requirements for supplier relationships;
b) for information and communication technology services, requiring that suppliers
propagate the organization’s security requirements throughout the supply chain if
suppliers subcontract for parts of information and communication technology service
provided to the organization;
c) for information and communication technology products, requiring that suppliers
propagate appropriate security practices throughout the supply chain if these products
include components purchased from other suppliers;
d) implementing a monitoring process and acceptable methods for validating that
delivered information and communication technology products and services are adhering
to stated security requirements;
e) implementing a process for identifying product or service components that are critical
for maintaining functionality and therefore require increased attention and scrutiny when
built outside of the organization especially if the top tier supplier outsources aspects of
product or service components to other suppliers;
f) obtaining assurance that critical components and their origin can be traced throughout
the supply chain;
g) obtaining assurance that the delivered information and communication technology
products are functioning as expected without any unexpected or unwanted features;
h) defining rules for sharing of information regarding the supply chain and any potential
issues and compromises among the organization and suppliers;
i) implementing specific processes for managing information and communication
technology component lifecycle and availability and associated security risks. This

7/13
includes managing the risks of components no longer being available due to suppliers no
longer being in business or suppliers no longer providing these components due to
technology advancements.

Other information

The specific information and communication technology supply chain risk management
practices are built on top of general information security, quality, project management,
and system engineering practices but do not replace them. Organizations are advised to
work with suppliers to understand the information and communication technology supply
chain and any matters that have an important impact on the products and services being
provided. Organizations can influence information and communication technology supply
chain information security practices by making clear in agreements with their suppliers
the matters that should be addressed by other suppliers in the information and
communication technology supply chain. The information and communication
technology supply chain as addressed here includes cloud computing services.

A good control builds on A.15.1.2 and is focused on the Information and communication
technology supply chain that may need something in addition or instead of the standard
approach. ISO 27002 advocates numerous areas for implementation and whilst these are
all good, some pragmatism is needed as well. The organization should again recognize its
size compared to some of the very large providers that it will sometimes be working with
e.g. datacenters & hosting services, banks, etc., therefore potentially limiting its ability to
influence practices further into the supply chain. The organization should consider
carefully what risks there may be based upon the type of information and communication
technology services that are being provided. For example, if the supplier is a provider of
infrastructure critical services, and has access to sensitive information e.g. source code for
the flagship software service, it should ensure there is greater protection than if the
supplier is simply exposed to publicly available information e.g. a simple website.

Agreements with suppliers should include requirements to address the information

security risks associated with information and communications technology services and
product supply chains. This section is largely physical in nature and defines additional
points to include in supplier agreements, specifically related to their use of technology,
both hardware, and software. There should be a process to identify a product or service
that is a critical capability and require increased scrutiny. This is especially true for
components built outside the supplier organization. The ability to trace origins and
compliance with security requirements is integral in ensuring both integrity and
availability. Finally, the organization should address the risks of a component or service
becoming unavailable or no longer supported

A.15.2 Supplier service delivery management

Objective:

To maintain an agreed level of information security and service delivery in line with
supplier agreements.

8/13
Once operations of service providers have started, ensuring that the services delivered
conform to the specifications of third-party contracts is important. This can include
everything from availability levels of the service to something more granular, such as
examining the security controls the service provider agreed to in the contract. If there is a
great level of dependency upon third-party service providers, checking into service
capabilities, plans for handling information security incidents or service disruptions, and
business continuity testing may be warranted. Systematic monitoring and reviews of
services and controls are also recommended, including scrutinizing service reports
provided by the third-party to ensure the information is sufficient and relevant. As
business or information technology requirements are modified, this may also require a
change in the provision of third-party services, and procedures should be in place to
handle any new requirements. Additionally, modifications may also call for a review of
existing information security controls to ensure they are adequate.

A. 15.2.1 Monitoring and review of supplier services

Control
Organizations should regularly monitor, review, and audit supplier service delivery.
Implementation guidance
Monitoring and review of supplier services should ensure that the information security
terms and conditions of the agreements are being adhered to and those information
security incidents and problems are managed properly. This should involve a service
management relationship process between the organization and the supplier to:
a) monitor service performance levels to verify adherence to the agreements;
b) review service reports produced by the supplier and arrange regular progress meetings
as required by the agreements;
c) conduct audits of suppliers, in conjunction with the review of independent auditor’s
reports, if available, and follow-up on issues identified;
d) provide information about information security incidents and review this information
as required by the agreements and any supporting guidelines and procedures;
e) review supplier audit trails and records of information security events, operational
problems, failures, tracing of faults and disruptions related to the service delivered;
f) resolve and manage any identified problems;
g) review information security aspects of the supplier’s relationships with its own
suppliers;
h) ensure that the supplier maintains sufficient service capability together with workable
plans designed to ensure that agreed service continuity levels are maintained following
major service failures or disasters.
The responsibility for managing supplier relationships should be assigned to a designated
individual or service management team. In addition, the organization should ensure that
suppliers assign responsibilities for reviewing compliance and enforcing the requirements
of the agreements. Sufficient technical skills and resources should be made available to
monitor that the requirements of the agreement, in particular the information security
requirements, are being met. Appropriate action should be taken when deficiencies in the
service delivery are observed. The organization should retain sufficient overall control and
visibility into all security aspects for sensitive or critical information or information

9/13
processing facilities accessed, processed, or managed by a supplier. The organization
should retain visibility into security activities such as change management, identification
of vulnerabilities, and information security incident reporting and response through a
defined reporting process.

A good control builds on A15.1 and describes how organizations regularly monitor, review
and audit their supplier service delivery. Conducting reviews and monitoring is best done
based on the information at risk – as a one-size approach will not fit all. The organization
should aim to conduct its reviews in line with the proposed segmentation of suppliers in
order to therefore optimize their resources and make sure that they focus effort on
monitoring & reviewing where it will have the most impact. As with A15.1, sometimes
there is a need for pragmatism – you are not necessarily going to get an audit, human
relationship review, and dedicated service improvements with AWS if you are a very small
organization. You could, however, check (say) their annually published SOC II reports and
security certifications remain fit for your purpose. Evidence of monitoring should be
completed based on your power, risks, and value, thus allowing your auditor to be able to
see that it has been completed and that any necessary changes have been managed
through a formal change control process.

Organizations should regularly monitor, review, and audit supplier service delivery. The
organization cannot overlook the need to manage the risk to their information assets that
are accessed, processed, communicated to, or managed by external parties (partners,
vendors, contractors, etc.). The service provider should be continuously monitored to
assure that services provided are meeting the terms of the contract and security is
maintained. There should be an ongoing review of service reports, a process to address
concerns and issues, and periodic audits. This section also encompasses documentation
and procedures for handling security incidents, including incident reporting, mitigation,
and subsequent reviews. Finally, service capability levels must be monitored to ensure
that the service provider continues to meet the contract terms and needs of the business.
In addition to regular review and monitoring of the services provided, the contracting
organization should:

Conduct audits of suppliers in conjunction with outside assessments

Require the supplier to promptly notify regarding security incidents
Provide regular audit trails and records for security events
Have a conflict resolution process that can be invoked if requirements are not met

Some external parties provide independent audits based on the Statement on Standards
for Attestation Engagements which focuses on the design of controls and their operating
effectiveness. When independent audit opinions are not available, the Organization might
choose to evaluate the risk themselves. Monitoring can mean different things to different
people. It can simply mean to assess, to watch, to keep track of, or to check, usually, with a
special purpose. It does not mean or implies to verify or even to test. Actually, monitoring
is more of a spectrum that ranges from just “keeping an eye” in the low end to requiring a
site audit in the high end. Given the availability of resources at the Organization of higher
education, verification could be an impractical and significantly costly requirement if
applied to all or most suppliers

10/13
Effective monitoring of suppliers requires a process or methodology in place that defines
the approach to take based on the risk of the supplier or engagement – activities should
be more stringent and closer to the high end of the spectrum as risk increases or when
exceptional situations warrant them. The organizational policy may refer to instances in
which the sharing of sensitive data will result in a significant risk. Again, “significant” can
mean a number of things but, ultimately, depends on the organization’s risk management
practices and risk tolerance (i.e., what is an acceptable risk). Only in cases of very high
risk or when exceptional situations may warrant it should supplier monitoring include a
requirement to perform a site audit, or results of a Statement on Standards for Attestation
Engagements audit, or results of an audit performed by an independent auditor. What
should an organization do to monitor compliance with agreement requirements in most
cases? Define the incremental risk to the organization when engaging a supplier as well as
defining a due diligence process for mitigating those risks – third-party risk from remote
access, data transmission and offsite storage. Consider the following as an outline for a
contract monitoring process:
1. During System / Application / Process Implementation

a. Identify the individual(s) responsible for monitoring the relationship with the supplier.
b. During project status meetings:

i. Assess and review status reports regarding progress made in the implementation
of the security requirements included in the contract and/or statement of work.
ii. Identify new areas or security requirements that may arise from changes in scope

c. If applicable, perform or request audit of vendor security practices and procedures

and/or perform a penetration test. It may be necessary to include a legal review by general
counsel, as well.
d. During final test and prior to sign-off

i. Test system/application/process security functionality required in the contract

ii. Review progress reports and determine if all security requirements included in
the contract and/or statement of work were completed.

e. If applicable, perform application scan

2. Post Implementation

a. Follow up with system/application/process owner.

i. Require the owner to perform a risk assessment based on policy (annual if high
risk or mission-critical and bi-annual for the rest)
ii. Review with the owner the risk assessment results. Any concerns? Any problems?
Any unknowns that need to be addressed with the vendor?

b. Follow up with the supplier. Access logs available? Any pending items resolved? Are
things on their end as expected? Any owner concerns? Risk assessment identified
deficiencies?
c. Based on risk (annually or bi-annually), resubmit third-party information security risk

11/13
assessment to assess what has changed, what needs closer scrutiny, or identify
inconsistencies with previous assessments
d. Establish a working relationship with your supplier
e. Participate in supplier’s product improvement committee. What changes are been
considered? How would they impact the organization’s risk and security postures
f. Review security incidents involving the system/application/process. Are these due to
non-compliance?
g. If applicable, based on the contract, require subsequent assurance tests.

For currently established suppliers, assess their risk (if it has not already been done), and
start with the steps listed in the Post Implementation section above as needed. It is
important to keep in mind that supplier monitoring is the last step of a cascading
progression. The initial identification of process and data impacted as well as initial
security requirements are used to formulate purchasing requirements. The answers to the
requirements are used to evaluate potential suppliers and refine security requirements.
The evaluation and risk assessment of finalists refine the security requirements that will,
in turn, be added as the language to the contract or statement of work. And, finally, it is
the final contract and corresponding risk level that determine the appropriate supplier
monitoring approach.

A. 15.2.2 Managing changes to supplier services

Control
Changes to the provision of services by suppliers, including maintaining and improving
existing information security policies, procedures, and controls, should be managed,
taking account of the criticality of business information, systems, and processes involved
and re-assessment of risks.
Implementation guidance
The following aspects should be taken into consideration:
a) changes to supplier agreements;
b) changes made by the organization to implement:

1. enhancements to the current services offered;

2. development of any new applications and systems;
3. modifications or updates of the organization’s policies and procedures;
4. new or changed controls to resolve information security incidents and to improve
security;.

c) changes in supplier services to implement:

1. changes and enhancement to networks;

2. use of new technologies;
3. adoption of new products or newer versions/releases;
4. new development tools and environments;
5. changes to the physical location of service facilities;
6. change of suppliers;
7. sub-contracting to another supplier.

12/13
A good control describes how any changes to the provision of services by suppliers,
including maintaining and improving existing information security policies, procedures,
and controls, are managed. It takes into account the criticality of business information,
the nature of the change, the supplier type/s affected, the systems and processes involved,
and a re-assessment of risks. Changes to supplier’s services should also take into account
the intimacy of the relationship and the organization’s ability to influence or control
change in the supplier. All technology systems are undergoing a continuous upgrade,
change, and repair. Changes to service provisions by suppliers should be managed and
documented, taking into account the sensitivity of information and services and re-
assessment of risks. The contracting organization should determine how to integrate its
change management process with that of the supplier. Items to consider include:
• Service enhancements
• Bug fixes
• Use of new technology
• New development tools
• Enhanced security measures
• Change of subcontractor
• Change of physical sites
Where possible, supplier changes should be integrated with the contracting organization’s
change management processes.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at
preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy
to publish them. Your comments and suggestion are also welcome.

13/13