ISO 27001 Monitoring, Review and Change Management of Supplier Services is the process of keeping an eye on and making changes to services you get from other companies, ensuring they’re secure. It’s about making sure your suppliers are following the security rules you’ve set, and that any changes to their services don’t create new risks for your business.
Context
When you hire a supplier, like a cloud provider or a company that manages your website, you need to be sure they handle your data safely. This control is about having a plan to regularly check what they’re doing and to manage any changesthey make. For example, if a supplier decides to upgrade their system, you need to know how that might affect the security of your data. This helps you prevent problems before they happen.
Examples
- Regular checks: Every three months, you review your cloud provider’s security reports to make sure they’re meeting their promises.
- Change control: Your payroll provider wants to switch to a new software system. You ask for a security assessment of the new system before they make the change.
- Performance review: You hold a meeting with your IT support company every six months to discuss their performance and any new security risks.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to ISO 27001 Monitoring, Review and Change Management of Supplier Services:
- ISO 27001:2022 Annex A 5.20 Addressing Information Security Within Supplier Agreements: this is the main control for Information Security in Supplier Agreements
- ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships: This is a broader control that covers the entire process of managing supplier relationships, including the initial selection, ongoing monitoring, and termination.
- ISO 27001:2022 Annex A 5.21 Managing Information Security In The ICT Supply Chain: This control focuses specifically on the security of the information and communication technology (ICT) supply chain. It addresses risks related to hardware, software, and services acquired from suppliers.
- ISO 27001:2022 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services: This control provides specific guidance for the management of supplier services.
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services: This control provides specific guidance for securing information when using cloud services, which are a common type of supplier relationship today.