ISO/IEC 27001 Control 5.22: Monitoring, review and change management of supplier services
Control
The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
Necessity of MidPoint
MidPoint's contribution to implementation of this control is marginal.
Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.
Implementation Overview
MidPoint can provide some monitoring and inventory capabilities for applications.
Implementation Details
Application inventory can be used to catalog third-party (cloud) services used by the organization, which can be used as a basis for regular review, e.g. review of classifications. MidPoint can monitor some activity of users on the applications. E.g. midPoint can detect an application that was used recently, or application that is used only by a fraction of users that have access to it. Clearances applied to supplier organizations can be used to represent supplier company certificates, e.g. ISO27001 certificate. Certification campaigns can be set up to regularly review validity of the certificates and re-evaluate evidence of regulatory compliance.
Rationale
This controls deals mostly with contractual obligations, not so much with technical controls and measures. However, there are some advantages that midPoint can provide.
Related Features
Related Controls
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.35: Independent review of information security
-
ISO/IEC 27001 5.36: Compliance with policies, rules and standards for information security
-
ISO/IEC 27001 8.14: Redundancy of information processing facilities
-
ISO/IEC 27001 5.23: Information security for use of cloud services
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 8.19: Installation of software on operational systems