ISO:Supplier Relationships and Procurement

From Hornbill
Revision as of 09:12, 26 September 2018 by Keiths (talk | contribs) (Created page with "== Supplier Relationships and Procurement== A Risk Assessment should be carried out to identify specific controls implemented before granting access to third parties or custom...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Supplier Relationships and Procurement

A Risk Assessment should be carried out to identify specific controls implemented before granting access to third parties or customers.

Identification of risk related to external party access to take account of the following: level of physical access, logical access to the external parties legal and regulatory requirements and other contractual obligations relevant to the external parties. For confidentiality of the information accessed by third party or customer, Non-Disclosure Agreements (NDAs) are signed.

Access to information and information processing facilities by third parties or customers is not provided unless an NDA is in force.

It should be ensured that the external party is aware of these obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating or managing information and information processing facilities.

Hornbill Technologies agrees with the external party those controls that the external party is required to implement and documents them in the contract or agreement, which is a legal agreement, that the third party signs. The obligations on the external party include ensuring that all its personnel are aware of their obligations where necessary.

The agreements between the organisation and external parties (whether suppliers or customers) are intended to be legally binding and must specifically include (or provide documented reasons for excluding any of) the items on the checklist below, and the requirement for which may have been identified through the risk assessment, from any such contract:

  • the Information Security Policy
  • the controls identified as required through the risk assessment process which may include procedures and technical controls

a clear definition and/or description of the product or service to be provided, and a description of information (including its classification) to be made available

  • requirements for user and administrator education, training and awareness
  • provisions for personnel transfer
  • description of responsibilities regarding software and hardware installation, maintenance and de-commissioning
  • clearly defined reporting process, reporting structure, reporting formats, escalation procedures and the requirement for the external party to adequately resource the compliance, monitoring and reporting activities
  • a specified change management process
  • controls against malware
  • access control policy
  • information security incident management
  • the target level for service and security, unacceptable service and security levels, definition of verifiable performance and security criteria, monitoring and reporting
  • the right to monitor and audit performance (including the third party’s processes for change management, vulnerability identification and information security incident management), to revoke activities, and to use external auditors
  • continuity requirements
  • liabilities on both sides, legal responsibilities and how legal responsibilities (including data protection and privacy) are to be met
  • the protection of IPR and copyright
  • controls over any allowed sub-contractors
  • conditions for termination/re-negotiation of agreements, including contingency plans.
Retrieved from "https://wiki.hornbill.com/index.php?title=ISO:Supplier_Relationships_and_Procurement&oldid=19368"