ISO/IEC 27001 Control 5.21: Managing information security in the ICT supply chain
Control
Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
Necessity of MidPoint
MidPoint's contribution to implementation of this control is marginal.
Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.
Implementation Overview
MidPoint can provide inventory of applications, including their classifications.
Implementation Details
Application inventory can be used to catalog third-party (cloud) services used by the organization. Classifications can be used to categorize the services, according to demonstrated certifications applicable to the services. Policy rules can be used to limit access to services with insufficient security levels or certifications. Certification campaigns can be used for regular review of supplier access, including removal of unnecessary access.
Rationale
This controls deals mostly with contractual obligations, not so much with technical controls and measures. However, there are some advantages that midPoint can provide.
Related Features
Related Controls
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.22: Monitoring, review and change management of supplier services
-
ISO/IEC 27001 5.23: Information security for use of cloud services
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements