Before engaging in an agreement with a supplier of an IT-service, an information security risk assessment is performed.
Contractual agreements regarding information security are made with suppliers of IT-services.
Suppliers report on their compliance with these agreements and will deliver evidence of compliance when prompted. This compliance is actively monitored by the organisation and documented. Non-compliances are treated as potential security incidents.
Which suppliers the organisation has, what services they provide and the status of contracts with the supplier are documented.
Specification
The contractual agreements with the supplier contain, at a minimum, the following:
- Clauses necessary to comply with all necessary security controls required by this baseline
- Clauses necessary to comply with any relevant legal requirements and other internal policies
- Clauses regarding the information security of any subcontractors
- Clauses regarding non-compliance and liability
- Agreements on what and how the supplier reports to prove ongoing compliance with the agreement
Evaluations with the supplier occur at a minimum:
- Low: when needed
- Medium: once every 3 years
- High: once every year
Suppliers must inform the organisation of incidents and vulnerabilities without any undue delay and no later than 72 hours after discovery, including actions the organisation can take to mitigate the associated risks.
ISO 27001 & 27002:2022
8.1,
A5.14,
A5.19,
A5.20,
A5.21,
A5.22,
A5.23.
A5.36
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SC.03 Supplier risk management
SC.04 Interne beheersing bij derden