ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

15.1 ESTABLISH SECURITY AGREEMENTS WITH SUPPLIERS

15.1.1 EXPECT SUPPLIERS TO COMPLY WITH RISK MITIGATION AGREEMENTS

Do you clarify the information security risks that exist whenever

your suppliers have access to your organizations assets?

CTRL

Do you use your supplier access policy to document your access controls?

Do you establish control by developing processes and procedures?

GUIDE

Do you develop processes and procedures that you must apply?

GUIDE

Do you develop processes and procedures that suppliers must use?

Did you identify the types of suppliers that will be allowed to have access?

Did you describe the information that each type of supplier may access?

Did you define security requirements for each type of information?

Did you specify access controls for each type of information?

Do you clarify your risk mitigation requirements and the risk mitigation
expectations that your organizations suppliers must comply with?

CTRL

Do you establish security risk mitigation agreements with suppliers?

CTRL

Do you document your security risk mitigation agreements?

CTRL
GUIDE

Did you establish a policy to control supplier access to your information?

GUIDE
GUIDE

GUIDE

Did you establish controls to restrict supplier access to your information?

GUIDE
GUIDE

Did you describe specific access controls for each type of supplier?

GUIDE
GUIDE
GUIDE

Did you describe monitoring methods for each type of supplier?

GUIDE
GUIDE

Do you create information accuracy and completeness controls?

Do you use your controls to ensure the integrity of information?

GUIDE

Do you use them to ensure the integrity of information processing?

GUIDE
GUIDE

Do you clarify suppliers information security duties and obligations?

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 121

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

GUIDE

Did you develop a typical supplier relationship management process?

Do you consider the type of information each supplier may access?

Do you consider your unique risk profile and business needs?

Do you define access controls for each type of information?

Do you describe how transitions should be managed and controlled?

GUIDE

Do you clarify how information will be moved safely and securely?

GUIDE

Do you clarify how information processing facilities are protected?

Do you allocate responsibilities to both you and your suppliers?

Do you clarify your resilience and recovery needs and requirements?

Do you clarify your suppliers resilience and recovery obligations?

Do you establish joint resilience and recovery arrangements?

Do you monitor compliance with information security requirements?

Did you establish supplier monitoring processes and procedures?

Did you develop a typical supplier relationship management lifecycle?

GUIDE
GUIDE

Do you prepare information security agreements for each supplier (15.1.2)?

Do you define your minimum information security requirements?

GUIDE
GUIDE
GUIDE
GUIDE
GUIDE

Do you assign responsibility for handling information security incidents?

GUIDE
GUIDE
GUIDE
GUIDE
GUIDE

Do you document all information security requirements and controls?

GUIDE
GUIDE
GUIDE
GUIDE

Did you establish processes and procedures for each type of supplier?

GUIDE

Did you establish processes and procedures for each type of access?

Do you review compliance with information security requirements?

GUIDE

Did you establish third party review processes and procedures?

GUIDE

Did you establish product validation processes and procedures?

GUIDE

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 122

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

Did you establish an awareness program to talk about supplier security?

Do you make your personnel aware of your supplier access controls?

GUIDE

Do you teach buyers about your policies, processes and procedures?

GUIDE

Do you explain how your personnel should interact with suppliers?

GUIDE
GUIDE

GUIDE

Do you distinguish between types of suppliers and types of access?

GUIDE

Do you clarify the access that suppliers may be allowed to have?

15.1.2 EXPECT SUPPLIERS TO COMPLY WITH INFORMATION SECURITY AGREEMENTS

CTRL

Have you identified all of the information security

requirements that you expect suppliers to comply with?

CTRL

Do you clarify information security requirements whenever

suppliers must access your organizations information?

CTRL

Do you clarify information security requirements whenever

suppliers must process your organizations information?

CTRL

Do you clarify information security requirements whenever

suppliers must store your organizations information?

CTRL

Do you clarify information security requirements whenever suppliers

must communicate using your organizations information?

CTRL

Do you clarify information security requirements whenever

your suppliers must provide IT infrastructure components?

Have you established information security agreements with each supplier?

Did you develop information security agreements for each supplier?

CTRL
GUIDE
GUIDE

Do you describe relevant information security policies for each contract?

GUIDE

Do you describe the type of information that may be provided or accessed?

GUIDE

Do you describe the methods that may be used to provide information?

GUIDE

Do you describe the methods that may be used to access information?

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 123

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

GUIDE

Do you describe the information classification scheme that will be used?

Do you map your organizations scheme (8.2) against each suppliers?

GUIDE

GUIDE

Do you describe all relevant legal and regulatory requirements?

Do you explain how legal and regulatory requirements must be met?

GUIDE

GUIDE

Do you describe data protection obligations and requirements?

GUIDE

Do you describe intellectual property rights and requirements?

GUIDE

Do you describe the controls that each party must implement?

Do you describe the access controls that must be established?

GUIDE

GUIDE

Do you describe acceptable and unacceptable uses of information?

GUIDE

Do you describe how appropriate supplier personnel will be selected?

Do you specify personnel screening requirements and responsibilities?

Do you establish notification procedures that screeners must use?

GUIDE

GUIDE
GUIDE

Do you ask suppliers to notify you if they uncover security issues?

GUIDE

Do you ask suppliers to notify you if they fail to screen personnel?

Do you describe how authorized persons will be assigned and removed?

GUIDE

Do you describe how and when access authorizations will be assigned?

GUIDE

GUIDE

Do you consider creating explicit lists of authorized personnel?

GUIDE

Do you consider establishing supplier authorization procedures?

GUIDE

Do you consider defining supplier authorization conditions?

Do you describe how and why access authorizations would be revoked?

Do you describe rules to control the use of subcontractors by suppliers?

GUIDE

GUIDE

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 124

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

GUIDE

Do you describe controls suppliers must use to manage subcontractors?

Do you describe your organizations incident management procedures?

Do you describe your notification and collaboration procedures?

Do you describe your organizations incident management requirements?

GUIDE
GUIDE
GUIDE
GUIDE

Do you explain how people will work together if incidents occur?

Do you describe your security training and awareness requirements?

GUIDE
GUIDE

Do you expect suppliers to explain incident response procedures?

GUIDE

Do you expect suppliers to explain access authorization procedures?

Do you describe how you plan to communicate with each supplier?

Do you identify contacts for each information security agreement?

GUIDE
GUIDE
GUIDE

Do you describe how you plan to monitor supplier performance?

GUIDE

Do you describe your right to audit suppliers processes and controls?

GUIDE

Do you describe the supplier audits that you plan to carry out?

GUIDE

Do you describe how you plan to review the performance of suppliers?

GUIDE

Do you describe suppliers reporting obligations and responsibilities?

Do you ask suppliers to submit regular independent security reports?

GUIDE

Do you ask suppliers to report on the effectiveness of their controls?

GUIDE

Do you ask suppliers to explain how security issues were resolved?

Do you describe defect resolution and conflict resolution processes?

Do you document the security agreements you have with each supplier?

Do you expect your suppliers to comply with all security requirements?

Do you document the security obligations that your suppliers have?

GUIDE

GUIDE
GUIDE
GUIDE
GUIDE

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 125

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

15.1.3 EXPECT SUPPLIERS TO DEAL WITH THEIR OWN SUPPLY CHAIN SECURITY RISKS

Do you expect your suppliers to address the information security

risks connected with their use of information and communications
technology services and product supply chains?

CTRL

Do you include information security risk management requirements

in the agreements you have with your organizations suppliers?

CTRL

GUIDE

Do you expect your suppliers to control their own supply chain risks?

GUIDE

Do you prepare supply chain security agreements with your suppliers?

Do you define the security requirements that suppliers must meet?

Do you define security requirements that apply to your suppliers?

GUIDE
GUIDE
GUIDE

Do you expect them to ensure that products meet requirements?

GUIDE

Do you expect them to ensure that services meet requirements?

Do you define the requirements that apply to suppliers purchases?

GUIDE

Do you clarify requirements for information products and services?

GUIDE

Do you clarify requirements for communications technologies?

Do you ask suppliers to create a process to identify critical components?

Do you ask them to identify critical product and service components?

Do you ask them to pay special attention to critical components?

Do you ask them to monitor critical outsourced components?

Do you clarify the requirements that your suppliers suppliers must meet?

Do you ask suppliers to implement security throughout supply chains?

Do you ask them to protect the technologies that you depend upon?

Do you ask them to protect IT and communication technologies?

GUIDE

GUIDE
GUIDE
GUIDE
GUIDE

GUIDE

Do you ask them to ensure that critical components work as expected?

GUIDE
GUIDE

Do you ask them to ensure that the origin of items can be traced?

GUIDE
GUIDE
GUIDE

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 126

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT
Do you ask them to safeguard the services that they subcontract?

Do you ask suppliers to propagate required security practices?

Do you ask them to safeguard the components that they buy?

Do you ask suppliers to propagate security requirements?

Do you expect suppliers to establish a supplier monitoring process?

GUIDE
GUIDE
GUIDE
GUIDE
GUIDE

Do you expect them to validate technology products and services?

GUIDE
GUIDE

Do you expect them to see if products meet security requirements?

GUIDE

Do you expect them to see if services meet security requirements?

Do you expect them to share information about their supply chains?

GUIDE
GUIDE

Do you ask them to share information about potential problems?

GUIDE

Do you ask them to share information about component lifecycles?

Do you ask them to tell you if items may no longer be available?

GUIDE
GUIDE

Do you ask suppliers to help you manage related security risks?

15.2 MANAGE SUPPLIER SECURITY AND SERVICE DELIVERY

15.2.1 MANAGE SUPPLIER SERVICES AND SUPPLIER SECURITY
CTRL

Do you monitor supplier service delivery and information security?

CTRL

Do you review supplier service delivery and information security?

CTRL

Do you audit supplier service delivery and information security?

Have you established a process to manage your relationship with suppliers?

Do you ask suppliers to assign someone to manage service agreements?

Do you ask them to enforce agreements and to review compliance?

GUIDE

Did you assign responsibility for managing your supplier relationships?

GUIDE

Did you assign this job to an individual or service management team?

GUIDE
GUIDE
GUIDE
GUIDE

Did you implement your supplier relationship management process?

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 127

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

Do you use your process to ensure that suppliers can provide services?

GUIDE

Do you verify that suppliers have workable service continuity plans?

Do you verify that services can be provided after big disasters (17)?

Do you verify that acceptable service levels can be maintained?

Do you use your process to monitor supplier service and compliance?

Do you check compliance with information security agreements?

Do you monitor suppliers service delivery performance levels?

GUIDE

Do you support monitoring by providing needed skills and resources?

GUIDE

Do you verify that security incidents and issues are well managed?

Do you use your process to coordinate and control critical suppliers?

Do you control suppliers who manage or provide critical services?

Do you verify that suppliers are capable of maintaining service levels?

GUIDE
GUIDE
GUIDE
GUIDE
GUIDE
GUIDE
GUIDE

Do you take action whenever incidents occur and service suffers?

GUIDE
GUIDE
GUIDE
GUIDE
GUIDE
GUIDE

Do you retain control over how these suppliers manage security?

Do you control how suppliers protect your critical facilities?
Do you monitor how critical suppliers manage your security?

GUIDE

Do you monitor how critical suppliers identify vulnerabilities?

GUIDE

Do you monitor how critical suppliers respond to incidents?

GUIDE

Do you monitor how critical suppliers manage changes?

GUIDE

Do you monitor how critical suppliers report incidents?

GUIDE
GUIDE
GUIDE
GUIDE

Did you establish a security incident reporting process?

Do you control how suppliers protect sensitive information?
Do you control how suppliers access sensitive information?
Do you monitor how suppliers protect sensitive information?

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 128

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

GUIDE

Do you control how suppliers process sensitive information?

Do you monitor how suppliers process sensitive information?

Do you use your process to share information about security incidents?

Do you review service delivery reports generated by your suppliers?

Do you arrange regular progress meetings (to verify compliance)?

Do you review how well security incidents are being handled?

GUIDE

Do you review supplier audit trails and records of security events?

GUIDE

Do you review operational problems, failures, faults, and disruptions?

Do you resolve identified problems, failures, faults, and disruptions?

Do you review the relationship suppliers have with their own suppliers?

Do you review the information security aspects of this relationship?

Do you evaluate changes to services provided by your suppliers?

CTRL

Do you think about how critical your business information is

and how important your systems and processes are whenever
you evaluate changes to supplier services?

CTRL

Do you re-assess your organizations information security risks

whenever changes to supplier services are being considered?

GUIDE
GUIDE
GUIDE

Do you evaluate supplier service delivery and compliance (15.1.3)?

Do you audit supplier compliance with your supplier agreements?

GUIDE

Do you study reports produced by independent auditors (if available)?

GUIDE

Do you follow up on compliance and performance problems?

GUIDE

Do you review supplier compliance with your supplier agreements?

GUIDE
GUIDE
GUIDE
GUIDE

GUIDE
GUIDE
GUIDE

Do you review information security incidents with your suppliers?

GUIDE

15.2.2 MANAGE CHANGES TO SERVICES PROVIDED BY SUPPLIERS

CTRL

CTRL

Do you manage changes to services provided by suppliers?

CTRL

Do you manage changes in information security policies?

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 129

ISO IEC 27002 2013 INFORMATION SECURITY AUDIT TOOL

15. SUPPLIER RELATIONSHIP MANAGEMENT AUDIT

CTRL

Do you manage changes in information security controls?

CTRL

Do you manage changes in information security procedures?

GUIDE

Do you manage changes to supplier agreements (15.1.2, 15.1.3)?

GUIDE

Do you manage the changes that you make to supplier services?

GUIDE

Do you manage and control changes in policies and procedures?

GUIDE

Do you manage and control enhancements to current services?

GUIDE

Do you manage and control the development of new applications?

Do you manage and control the development of new systems?

Do you manage and control changes in information security controls?

Do you manage and control how security incidents are resolved?

GUIDE
GUIDE
GUIDE

Do you manage and control all attempts to improve security?

GUIDE
GUIDE

Do you manage the changes that suppliers make to their services?

GUIDE

Do you manage and control changes and enhancements to networks?

GUIDE

Do you manage and control the use of new technologies and techniques?

GUIDE

Do you manage and control the use of new products and new versions?

GUIDE

Do you manage and control the use of new development environments?

Do you manage and control the use of new development tools?

GUIDE

Do you manage and control changes in location or service facilities?

GUIDE

Do you manage and control changes in suppliers and contractors?

GUIDE

GUIDE
GUIDE

Do you manage and control changes in the use of subcontractors?

Do you control how suppliers subcontract to another supplier?

Answer each of the above questions. Three answers are possible: Y (yes), N (no), and X (eXclude). Y means you're in compliance,
N means you're not in compliance, while X means that this question can be excluded because its not applicable in your situation.
Y answers and X answers require no further action, while N answers point to security practices that need to be followed and
security controls that need to be implemented. Also, please use the column on the right to record your notes, and in the spaces
below, enter the name and location of your organization, who completed this page, who reviewed it, and the dates.

ORGANIZATION:

YOUR LOCATION:

COMPLETED BY:

DATE COMPLETED:

REVIEWED BY:

DATE REVIEWED:

APR 2014

PLAIN ENGLISH INFORMATION SECURITY AUDIT TOOL

PART 15

COPYRIGHT 2014 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED.

EDITION 1.0
PAGE 130