ISO/IEC 27001 Control 5.22: Monitoring, review and change management of supplier services

Control

The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

Necessity of MidPoint

MidPoint's contribution to implementation of this control is marginal.

Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.

Implementation Overview

MidPoint can provide some monitoring and inventory capabilities for applications.

Implementation Details

Application inventory can be used to catalog third-party (cloud) services used by the organization, which can be used as a basis for regular review, e.g. review of classifications. MidPoint can monitor some activity of users on the applications. E.g. midPoint can detect an application that was used recently, or application that is used only by a fraction of users that have access to it. Clearances applied to supplier organizations can be used to represent supplier company certificates, e.g. ISO27001 certificate. Certification campaigns can be set up to regularly review validity of the certificates and re-evaluate evidence of regulatory compliance.

Rationale

This controls deals mostly with contractual obligations, not so much with technical controls and measures. However, there are some advantages that midPoint can provide.

Was this page helpful?
YES NO
Thanks for your feedback