Forming and maintaining productive supplier relationships forms a large part of most modern data-based businesses – whether through the supply of equipment, support services or subcontracting.
From the outset of the relationship, and throughout the duration of the service contract, both parties need to be continually mindful of their obligations towards privacy information security, and standards should be aligned to safeguard PII and guarantee the integrity of sensitive information.
ISO 27701 Clause 6.12 is made up of two constituent parts:
Across these two sections, there are 5 sub-clauses that contain guidance from ISO 27002, applied within the context of privacy information management and security:
Just one article contains guidance that is applicable towards UK GDPR legislation – (ISO 27701 6.12.1.2). The article numbers have been provided for your convenience.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Organisations need to implement policies and procedures that not only govern the organisation’s use of supplier resources and cloud platforms, but also form the basis of how they expect their suppliers to conduct themselves prior to and throughout the term of the commercial relationship, particularly regarding PII and privacy-related assets.
ISO 27701 6.12.1.1 can be viewed as the essential qualifying document that dictates how privacy information governance is handled over the course of a supplier contract.
Organisations should:
Organisations should use the above guidance when forming new relationships with suppliers, and consider non-adherence on a case-by-case basis.
ISO acknowledges that commercial relationships vary wildly from sector-to-sector and business to business, and gives organisations leeway by recommending the explorations of “compensating controls” that seek to achieve the same underlying privacy protection principles.
When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.
In doing so, organisations should:
Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.
Book a tailored hands-on session
based on your needs and goals
Book your demo
When contracting out elements of their supply chain, in order to safeguard PII and privacy-related assets, organisations should:
It’s important to note that quality control doesn’t necessarily extend to granular inspection of the supplier’s own procedures.
Organisations should implement supplier-specific checks that confirm third-party organisations as a reputable source, within the sphere of privacy information management.
Organisations need to be continually aware of how supplier services are delivered – and to what levels – in order to maintain a safe, secure privacy information management operation.
To achieve this, organisations should:
See ISO 27701 Clause 6.12.2.1
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.12.1.1 | Information Security Policy for Supplier Relationships | 5.19 – Information Security in Supplier Relationships for ISO 27002 | None |
6.12.1.2 | Addressing Security Within Supplier Agreements | 5.20 – Addressing Information Security Within Supplier Agreements for ISO 27002 | Articles (5), (28), (30), (32) |
6.12.1.3 | Information and Communication Technology Supply Chain | 5.21 – Managing Information Security in the ICT Supply Chain for ISO 27002 | None |
6.12.2.1 | Monitoring and Review of Supplier Services | 5.22 – Monitoring, Review and Change Management of Supplier Services for ISO 27002 | None |
6.12.2.2 | Managing Changes to Supplier Services | 5.22 – Monitoring, Review and Change Management of Supplier Services for ISO 27002 | None |
It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where ISMS.online comes in!
Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701.
Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.
Find out more by booking a hands on demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo