8.6.2.3 Selection, Background Screening, and Vetting of Subcontractors
This section emphasizes the organization's responsibility for selecting, conducting background screening, and vetting subcontractors. Proper procedures are crucial to ensure that subcontractors are aligned with the organization's standards and the Security Operations Management System (SOMS). Here's a detailed breakdown:
- Defined Procedures:
The organization must establish clear and well-documented procedures for the selection, background screening, and vetting of subcontractors. These procedures are essential to assess the suitability of subcontractors for the tasks they will perform on behalf of the organization.
- Responsibility and Liability:
The organization retains full responsibility for the subcontractor's work and is liable for their conduct, as applicable and within the constraints of applicable law. This underscores the organization's commitment to ensuring that subcontractors meet the required standards.
- Contractual Agreements:
The organization must establish appropriate written contractual agreements with subcontractors. These agreements should outline the terms, conditions, and expectations regarding the subcontractor's responsibilities, including their alignment with the SOMS.
- Client Notification and Approval:
The organization should inform the client in writing about its arrangement with subcontractors. In situations where it is deemed necessary, client approval should be obtained. This ensures transparency and client awareness of subcontractor involvement.
- Subcontractor Register:
Maintaining a register of all subcontractors used is essential for proper management and tracking. This register should include information about the subcontractor's identity, scope of work, and other relevant details.
- Communication of Responsibilities:
The organization must effectively communicate the responsibilities outlined in this International Standard to the subcontractor. This ensures that subcontractors understand and adhere to the standards and expectations set by the organization.
- Record of Conformance:
The organization should maintain a record of evidence that demonstrates subcontractor conformance with this International Standard. This record should reflect whether the subcontractor has followed the specified standards or deviated from them.
By following these procedures, the organization can effectively manage and control its relationship with subcontractors, ensuring that they align with the SOMS and meet the necessary standards and expectations. This approach promotes consistency and accountability across all tiers of personnel involved in security operations.
