A15 Supplier Relationships

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
lesson 11 2011
00:04
a 15 supplier relationships
00:10
In this lesson, we will cover an understanding off control Set a 15,
00:15
the controls it covers and includes what these controls mean
00:20
as well as some examples of evidence that you can use in order. It's related to your items.
00:31
A 15 supplier relationships
00:34
consists of two control areas.
00:37
The first control area,
00:39
isn't it?
00:40
In put one
00:42
information security in supplier relationships.
00:46
This control area consists of three controls.
00:51
The first control is
00:53
a 15.1 point one
00:57
information security policy for supplier relationships.
01:02
This control specifies that information security requirements
01:06
for mitigating the risks associated with suppliers access to your organization's acids
01:12
shall be agreed with the supplier and formally documented.
01:19
Thes Second control
01:22
is a 15.1 point two
01:26
addressing security within supplier agreements.
01:30
This control is something that's really big when it comes to your third party. Risk management
01:37
Often
01:38
information security requirements
01:41
and clauses specific to your organization,
01:44
to which third parties need to be compliant
01:48
are often overlooked
01:49
and neglected from being included in supplier agreements.
01:55
Supplier agreements are where you can enforce specific requirements onto your suppliers,
02:04
so all relevant information security requirements
02:07
need to be established
02:09
and agreed upon with each supplier.
02:14
This is important for suppliers that may have access to
02:19
process,
02:20
store,
02:21
communicate
02:23
or provide I t infrastructure components. Full
02:27
your organization's information.
02:32
The third Control is a 15.1 point three
02:38
information and communication technology supply chain.
02:46
This is specific to your agreements with suppliers
02:51
and that these agreements need to include requirements
02:54
that address information security risks
02:58
that are specifically associate ID with information and communication technology services
03:05
and product supply chain.
03:09
This is an especially important concept to be aware of when you use a third party supplier
03:15
to host your data center or provide you with cloud services.
03:21
One of the biggest risks
03:23
is that that service provided either goes out of business.
03:27
There is no longer able to provide you with the platform that you require.
03:32
There needs to be some sort of fullback agreement
03:36
and some way in which the supplier can either transfer you to another supplier
03:42
or make some kind of plan to ensure that your services are not affected
03:46
by issues that they are facing.
03:50
Of course, within reason,
03:53
have a discussion with your suppliers
03:54
and ensure that you identify any risks around these scenarios
03:59
and that these air appropriately included and mitigated in your agreements with your suppliers.
04:08
The second control area
04:10
is a 15.2
04:12
supplier service delivery management.
04:15
This area consists of two controls.
04:18
The first control is a 15.1 point point to 0.0.1. So
04:26
monitoring and review off supplier services
04:30
organizations should regularly regularly monitor review an audit
04:36
service delivery off their suppliers.
04:41
It is important that once we've set up these requirements in the service
04:46
agreement,
04:46
what supplies
04:48
that we're staying on top of our supplies and making sure that they are delivering on their agreed upon requirements.
04:58
If you have specific requirements that the service provider must be penetrated penetration tested
05:03
every quarter,
05:05
then for example, the suppliers should be reply supplying you with the reports off these penetration tests.
05:15
The second control is a 15.2 point two
05:19
managing changes to supply your services,
05:26
so in some cases
05:28
service providers could change or enhance their services.
05:32
All you is an organization would want to make changes or enhancement to the services that you receive from your suppliers.
05:42
When changes occur,
05:44
it is important to ensure that you maintain
05:46
and improve existing information security policies,
05:51
any associated procedures and controls,
05:55
as well as the requirements, and closes in the various agreements.
06:00
It is also important to take into account the criticality off your business information
06:05
systems and processes that are involved
06:10
in the change.
06:13
A reassessment of risks would be required
06:16
to ensure that these are appropriately mitigated and managed.
06:21
Some examples off documentation or evidence that you can use in this general area
06:29
include your information security and business continuity strategies.
06:35
When you have a third party involved in your business continuity,
06:41
it is important to specify this and include them in any planning
06:46
or communication activities pertaining to your business. Continuity.
06:50
Make sure that your plans are aligned
06:53
and that their recovery targets
06:56
meet your recovery targets.
07:00
You might also have policies or procedures which concerns suppliers and any of their own upstream or peer suppliers, partners or customers.
07:12
So this pertains to how are your third parties managing their third parties? Do they have robust third party risk management processes in place?
07:29
There would also be associated records.
07:32
We're through God's too
07:33
contact points
07:35
for routine operations,
07:38
escalation
07:40
or commercial or exceptional issues.
07:44
You would also be generating some sort of report
07:46
regarding performance and compliance off the supplier.
07:51
Incident management
07:54
would also generate documents,
07:56
whether this these air incidents that the supplier has detected on your behalf,
08:01
or whether it's incidents you have raised on your own supplier for a lack off nonperformance,
08:09
risk assessment and risk treatment reports must also be
08:13
created and maintained for your various third parties,
08:18
your contracts or agreements in place with the third parties
08:22
specifically showing the information security requirements and clauses included there.
08:39
In this lesson,
08:41
we covered the to control areas that make up control, set a 15 supplier relationships.
08:50
We covered the five controls included in this area
08:54
what these controls mean at a high level,
08:56
and we also talked about some examples off information and documentation that can be used as evidence during your orders.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By