What is Information Security in Supplier Agreements?
Information Security in Supplier Agreements is an ISO 27001 control that requires organisations to ensure information security is addressed within supplier agreements. This means when you work with another company (a supplier), you must have a contract that clearly states how they will protect your data. The goal is to make sure that your sensitive information remains secure even when it’s being handled by someone else.
Examples
- Cloud Service Provider: If a company uses a cloud service like Microsoft Azure or Amazon Web Services, their agreement with the provider should include clauses on data encryption, access controls, and incident response procedures.
- Payroll Service: When a company hires a third party to manage employee payroll, the contract must specify how the payroll provider will protect sensitive employee data, like social security numbers and bank details.
- Marketing Agency: An agreement with a marketing agency that handles customer data should detail how that data is stored, processed, and deleted after the campaign is over.
Context
This control is crucial for managing supply chain risk. Many data breaches happen because a supplier, not the main company, had a weakness in their security. By using this control, an organisation can reduce its risk and protect its reputation. It’s about making sure that everyone in your business network follows the same high standards for security.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to access control:
- ISO 27001:2022 Annex A 5.20 Addressing Information Security Within Supplier Agreements: this is the main control for Information Security in Supplier Agreements
- ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships: This is a broader control that covers the entire process of managing supplier relationships, including the initial selection, ongoing monitoring, and termination.
- ISO 27001:2022 Annex A 5.21 Managing Information Security In The ICT Supply Chain: This control focuses specifically on the security of the information and communication technology (ICT) supply chain. It addresses risks related to hardware, software, and services acquired from suppliers.
- ISO 27001:2022 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services: This control provides specific guidance for the management of supplier services.
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services: This control provides specific guidance for securing information when using cloud services, which are a common type of supplier relationship today.