System Guides

A.5.21 Managing Information Security in the Information and Communication Technology (ICT) Supply Chain would include:

1. Supply Chain Security Policy: Documentation of a comprehensive supply chain security policy that outlines the organization's approach to managing information security risks related to ICT suppliers and service providers.

2. Supplier Selection Criteria: Evidence of established criteria and processes for evaluating and selecting ICT suppliers based on their information security capabilities, compliance with security standards, and track record.

3. Supplier Contracts and Agreements: Copies of contracts or agreements with ICT suppliers that include specific information security requirements, responsibilities, and obligations.

4. Information Security Requirements: Documentation of the information security requirements communicated to ICT suppliers, such as security standards, data protection requirements, incident reporting procedures, and access controls.

5. Supplier Security Assessments: Records of security assessments or audits conducted on ICT suppliers to evaluate their information security practices and identify potential risks.

6. Incident Management with Suppliers: Evidence of procedures in place for reporting and managing security incidents involving ICT suppliers, including incident response and communication protocols.

7. Supply Chain Risk Assessment: Documentation of risk assessments conducted to identify and assess potential information security risks associated with the ICT supply chain.

8. Third-Party Security Assessments: Evidence of third-party assessments or certifications obtained from independent organizations that evaluate the security posture of ICT suppliers.

9. Continuous Monitoring: Records of ongoing monitoring and evaluation of ICT suppliers' information security practices and performance.

10. Incident and Issue Tracking: Logs or records of incidents, breaches, or issues related to ICT suppliers and the organization's response and resolution actions.

11. Training and Awareness: Evidence of training and awareness programs for employees involved in managing the ICT supply chain, emphasizing information security best practices and risk management.

12. Compliance Documentation: Evidence of compliance with relevant industry regulations, legal requirements, and standards related to information security in the ICT supply chain.

These pieces of evidence to assess the organization's efforts to manage information security risks in the ICT supply chain effectively. This includes evaluating the organization's processes for supplier selection, contract management, risk assessment, incident management, and ongoing monitoring to ensure that the ICT supply chain remains secure and resilient against potential threats and vulnerabilities.