ISO 27001
Annex A.15 - Supplier Relationships
Get compliant with ISO 27001 – Annex A.15 and simplify compliance for your organisation.

Get compliant with ISO 27001 – Annex A.15 and simplify compliance for your organisation.
To protect and secure any assets which can be accessed by suppliers and to maintain the agreed level of service delivery and information security
It’s about information security in supplier relationships. Include information security policy for suppliers. Addressing security within supplier agreements Information and communication technology supply chain relationships.
The supplier should be agreed with and documented information security requirements relating to the risk of access by suppliers to the organisation’s property. If any organisation wants to provide access to its supplier, the risk assessment should be done. The organisation must identify and involve required security information controls in the policy.
When an organisation create policies to cover this topic the following should be considered;
Security requirements should be agreed upon by any supplier that views, processes, stores, communicates or delivers IT infrastructure components information to the business.
The policies underlying this should include;
In your supplier agreement most of the precautions included for physical supply chains will apply to digital ones. Needs to include obligations to reduce the security risk associated with IT services and the product supply chain.
Suppliers are required to report the actions taken to minimise any type or risk, even the minor risk, and the process to eliminate these risks.
Risks of doing business with external parties should be always taken into account, ensuring suppliers handle confidential or high-risk data and align with what is documented in your policy.
This annex is about supplier service delivery management. Including monitoring and review of supplier services and managing changes to supplier services.
Actions to monitor, review, and audited supplier service delivery on a regular basis by companies should be in place . Information security policies must be followed and information security incidents and problems must be effectively handled and reported through regular monitoring and assessment of service providers.
This should cover;
Any alteration to the provision of services by suppliers, including maintaining and improving existing information security policies, procedure and control, should be managed in line with the criticality of business information, systems and process involved.
Any modification, improvements or change of use of technology , changes in supplier responsibility must be covered under supplier management policy.
©Copyright Inverifi 2023, All rights reserved. Registered in England, No: 06959535, , +44 20 4574 9908