ISO/IEC 27001 Control 5.20: Addressing information security within supplier agreements
Control
Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
Some of the supplier contractual agreements can be enforced by midPoint policies.
Implementation Details
This controls deals mostly with contractual obligations, not so much with technical controls and measures. Most of the measures described in control 5.19 can be used to implement the contractual clauses of this control. MidPoint can make sure that access is granted to supplier identities only after all necessary contracts are in place (using clearance mechanism), e.g. only allowing access to users that have signed personal non-disclosure agreements. Audit trail and object history features can provide valuable information during management of incidents involving supplier identities and actions.
Related Features
Related Controls
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.22: Monitoring, review and change management of supplier services
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements