11. Supplier Relationships

This category ensures that information security risks related to supplier relationships are identified and managed. It includes establishing and maintaining agreements with suppliers, monitoring supplier services, and ensuring that suppliers adhere to information security policies and requirements.

Controls (A.15):

  • A.15.1.1: Information Security Policy for Supplier Relationships

  • A.15.1.2: Addressing Security Within Supplier Agreements

  • A.15.1.3: Information and Communication Technology Supply Chain

  • A.15.2.1: Monitoring and Review of Supplier Services

  • A.15.2.2: Managing Changes to Supplier Services

Control A.15.1.1: Information Security Policy for Supplier Relationships

Audit Questions:

  • Is there an information security policy for managing supplier relationships?

  • How is this policy communicated and enforced with suppliers?

Common Non-Conformities (NC):

  • Lack of an information security policy for supplier relationships.

  • Policy not communicated effectively to suppliers.

  • Inadequate enforcement of the policy.

Control A.15.1.2: Addressing Security Within Supplier Agreements

Audit Questions:

  • Are information security requirements included in supplier agreements?

  • How are these requirements monitored and enforced?

Common Non-Conformities (NC):

  • No security requirements included in supplier agreements.

  • Inadequate monitoring and enforcement of security requirements.

Control A.15.1.3: Information and Communication Technology Supply Chain

Audit Questions:

  • How is the security of the information and communication technology (ICT) supply chain managed?

  • Are there measures to ensure the security of products and services acquired through the ICT supply chain?

Common Non-Conformities (NC):

  • Lack of security management for the ICT supply chain.

  • Insufficient measures to secure products and services in the supply chain.

Control A.15.2.1: Monitoring and Review of Supplier Services

Audit Questions:

  • How are supplier services monitored and reviewed for compliance with information security policies?

  • Are there regular reviews and audits of supplier performance?

Common Non-Conformities (NC):

  • No monitoring or review of supplier services.

  • Infrequent or inadequate reviews and audits of supplier performance.

Control A.15.2.2: Managing Changes to Supplier Services

Audit Questions:

  • What procedures are in place for managing changes to supplier services?

  • How are changes reviewed for security impacts before implementation?

Common Non-Conformities (NC):

  • No procedures for managing changes to supplier services.

  • Changes implemented without security impact assessments.

Previous10. System Acquisition, Development, and MaintenanceNext12: Information Security Incident Management

Last updated