Control 5.22 stipulates the methods organisations should take when monitoring, reviewing and managing changes in a supplier’s information security practices and service delivery standards, and assessing the impact upon the organisation’s own levels of information security.
When managing the relationship with their suppliers, an organisation should seek to maintain a baseline level of information security that adheres to any agreements that have been entered into.
5.22 is a preventative control that modifies risk by maintaining an “agreed level of information security and service delivery” on the part of the supplier.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventative | #Confidentiality #Integrity #Availability | #Identify | #Supplier Relationships Security | #Governance and Ecosystem #Protection #Defence #Information Security Assurance |
Ownership of Control 5.22 should rest with a member of senior management that oversees an organisation’s commercial operation, and maintains a direct relationship with an organisation’s suppliers, such as a Chief Operating Officer.
Control 5.22 contains 13 main areas that organisations need to consider when managing supplier relationships, and the effect they have on their own information security standards.
Organisations need to take steps to ensure that employees who are responsible for managing SLAs and supplier relationships have the requisite levels of skill and technical resources to be able to adequately assess supplier performance, and information security standards are not being breached.
Organisations should draft policies and procedures which:
ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Some of the key benefits of using ISMS.online include:
Get in touch today to book a demo.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |