Content library
ISO 27001 (2013): Full
15.2.2: Managing changes to supplier services

How to fill the requirement

ISO 27001 (2013): Full

15.2.2: Managing changes to supplier services

Task name
Priority
Status
Theme
Policy
Other requirements
Definition of supplier-specific responsible persons
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
requirements

Task is fulfilling also these other security requirements

15.2.2: Managing changes to supplier services
ISO27 Full
8.1.2: Ownership of assets
ISO27 Full
ID.SC-4: Audit suppliers and third-party partners
NIST
CC9.2: Partner risk management
SOC 2
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
CyFun
1. Task description

A responsible person has been appointed for the provider companies, who monitors the provider's activities, communications and compliance with the contract.

Responsible person must have sufficient skills to analyze cyber security requirements depending on the criticality of the provider. Responsible person also ensures that the provider appoints an own responsible person to ensure compliance with the contract and facilitate cooperation.

Managing changes to supplier services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
requirements

Task is fulfilling also these other security requirements

15.2.2: Managing changes to supplier services
ISO27 Full
HAL-16.1: Hankintojen turvallisuus - sopimukset
Julkri
CC9.2: Partner risk management
SOC 2
CC3.4: Identification and assesment of changes
SOC 2
1. Task description

The responsible person monitors significant changes in the supplier's operations that may affect the supplier relationship and service level, and thus require other measures. The following aspects are taken into account:

  • direct changes to supplier agreements
  • service content improvements, new technologies or the development of new services
  • significant changes in operating methods (either related to cyber security or other activities)
  • changes in the physical location of the data
  • changes in the supply chain / subcontracting process
No items found.