A.5.20 "Addressing Information Security within Supplier Agreements" would include:
-
Supplier Agreements: Copies of supplier agreements or contracts that demonstrate the inclusion of clauses related to information security requirements, responsibilities, and expectations.
-
Information Security Requirements: Documentation indicating the specific information security requirements that are stipulated in the supplier agreements. This could include confidentiality, data protection, access controls, security incident reporting, etc.
-
Risk Assessment: Records of risk assessments conducted to identify the potential information security risks associated with the products or services provided by suppliers.
-
Due Diligence: Evidence of due diligence performed on suppliers' information security practices, such as security audits, questionnaires, or assessments, before entering into agreements.
-
Supplier Selection Criteria: Documentation outlining the criteria used to select suppliers based on their information security capabilities and practices.
-
Security Obligations: Proof of the contractual obligations imposed on suppliers regarding the protection of sensitive information, data handling, security controls, and compliance with relevant regulations.
-
Data Protection and Privacy: Evidence that supplier agreements align with data protection and privacy regulations, ensuring that the supplier handles personal data appropriately.
-
Incident Reporting: Documentation indicating that suppliers are required to report security incidents promptly and provide necessary support during incident response.
-
Third-Party Audits: Records of third-party audits or assessments conducted on suppliers' information security practices to ensure ongoing compliance.
-
Change Management: Proof that the supplier agreements address how changes to products or services, software updates, or modifications will be managed to maintain security.
-
Termination and Exit Strategy: Documentation outlining procedures for terminating supplier agreements and ensuring the secure return or disposal of sensitive information.
-
Contractual Enforcement: Evidence of mechanisms in place to enforce the information security requirements within supplier agreements, including consequences for non-compliance.
-
Communication and Training: Records indicating how the supplier's staff is informed and trained on the organization's information security requirements.
-
Continuous Monitoring: Documentation showing that the organization monitors the security practices of its suppliers on an ongoing basis.
-
Supplier Relationship Management: Proof of a process for maintaining a relationship with suppliers that includes periodic reviews of their security posture.
By examining these pieces of evidence, an auditor can assess whether the organization has established a robust approach to addressing information security within its supplier agreements, ensuring that the organization's information and data remain protected throughout the supply chain.
