ISO/IEC 27001 Control 5.21: Managing information security in the ICT supply chain

Control

Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Necessity of MidPoint

MidPoint's contribution to implementation of this control is marginal.

Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.

Implementation Overview

MidPoint can provide inventory of applications, including their classifications.

Implementation Details

Application inventory can be used to catalog third-party (cloud) services used by the organization. Classifications can be used to categorize the services, according to demonstrated certifications applicable to the services. Policy rules can be used to limit access to services with insufficient security levels or certifications. Certification campaigns can be used for regular review of supplier access, including removal of unnecessary access.

Rationale

This controls deals mostly with contractual obligations, not so much with technical controls and measures. However, there are some advantages that midPoint can provide.

Was this page helpful?
YES NO
Thanks for your feedback