Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 144 views

    ISMS Supplier Security Policy

    Uploaded by

    Amine Rached

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    ISMS Supplier Security Policy

    Uploaded by

    Amine Rached
    144 views5 pages

    Original Title

    ISMS Supplier Security Policy.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    144 views5 pages

    ISMS Supplier Security Policy

    Uploaded by

    Amine Rached

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 5

    VOICECOM

    Supplier Security Policy

    Internal document
    Procedure Ref : PO-DSIXXX
    Version : 0.1
    Supplier Security Policy Date : 26/09/2020
    Page : 2/5

    Public Internal Confidential Top Secret

    1 Introduction
    2 Scope
    This policy sets out VOICECOM’s requirements that must be met by contractors in the
    handling, management, storage and processing its information.

    3 Revision History
    Revision Date Record of Changes Approved By
    0.1 09.26.2020 Initial Issue

    4 Control of hardcopy versions


    The digital version of this document is the most recent version. It is the responsibility of the
    individual to ensure that any printed version is the most recent version. The printed version
    of this manual is uncontrolled, and cannot be relied upon, except when formally issued by
    the <Document Controller> and provided with a document reference number and revision in
    the fields below:
    Document Ref. Rev. Uncontrolled Copy X Controlled Copy

    5 References
    Standard Title Description
    ISO 27000:2014 Information security management systems Overview and vocabulary
    ISO 27001:2013 Information security management systems Requirements
    ISO 27002:2013 Information technology - security Code of practice for information security
    techniques controls
    ISO 19011:2011 Auditing Management Systems Guidelines for auditing

    6 Definitions
     our “compliance obligations” are our information security obligations under law,
    regulation, contract and ISO 27001

     “information assets” include information, information assets and information systems

     “information security” is the preservation of confidentiality, integrity and availability of


    VOICECOM’s information.
    Depending on circumstances, “information security” may also include the
    authenticity, accountability, non-repudiation and reliability of VOICECOM’s
    information.

     “information risk” is the risk or risks to the security of VOICECOM’s information

    Supplier Security Policy Page 2 of 5


    Procedure Ref : PO-DSIXXX
    Version : 0.1
    Supplier Security Policy Date : 26/09/2020
    Page : 3/5

    Public Internal Confidential Top Secret

     “staff” and “users” means all of those who work under our control, including
    employees, contractors, interns etc.

     “we” and “our” refer to VOICECOM

    7 Responsibilities
    The <ISMS Manager> and <Purchasing Manager> are jointly responsible for all aspects of
    the implementation and management of this procedure, unless noted otherwise.
    Managers and supervisors are responsible for the implementation of these arrangements
    within the scope of their responsibilities and must ensure that all staff under their control
    understand and undertake their responsibilities accordingly.

    8 Information Security
    This policy has been framed as a generic policy for your guidance. It may need editing to
    meet your specific requirements.

    9 General
    We require that the security of our information to be maintained in order to ensure that we
    are able to rely on our information for our business needs and to meet our compliance
    obligations.

    10 Information risk assessment and management


    Our information security risk assessment methodology is set out in our Control of Risks and
    Opportunities Procedure.

    11 Compliance obligations
    List your legal, regulatory and contractual obligations here.

    For example, in the UK, the list might include:

     Civil Evidence Act 1968

     Communications Act 2003

     Computer Misuse Act 1990

     Copyright (Computer Programs) Regulations

     Data Protection Act 1998

     Environmental Information Regulations 2004

     Freedom of Information Act 2000

     Human Rights Act 1998

     Police and Criminal Evidence Act 1985


    Supplier Security Policy Page 3 of 5
    Procedure Ref : PO-DSIXXX
    Version : 0.1
    Supplier Security Policy Date : 26/09/2020
    Page : 4/5

    Public Internal Confidential Top Secret

     Public / Internal / Confidential (Delete as appropriate] Records Acts 1958 and 1967

     Regulation of Investigatory Powers Act 2000

     Telecommunications (Lawful Business Practice) (Interception of Communications)


    Regulations 2000

     The Official Secrets Act 1989

     Wireless Telegraphy Act 1949


    Any organisation accessing, processing, communicating or managing our information must
    do so in such a way that these obligations are met.
    Any processing of personal data outside the United Kingdom may only take place with the
    prior written permission of our <ISMS Manager>.

    12 Access to our information assets


     any person accessing our information assets must either hold, or be prepared to
    apply for: identity, nationality, criminal and, where necessary, security clearance

     access granted to information assets will be the minimum necessary to achieve the
    required purposes

     all of our equipment and security passes must be returned prior to the termination of
    the contract

     persons granted access to our information assets must comply with our security
    requirements
    Failure to comply with these requirements and other relevant instructions may
    constitute a breach of contract and lead to termination or legal action.

     we may monitor the use of its information assets for business purposes

     any removable media containing our information must be encrypted to a degree


    commensurate with the security classification of the information held within the
    removable media

     removable media (including laptops and tablets) may only be used to manage our
    information with our explicit consent

     supplier personnel may only enter our premises with an appropriate security pass
    and the scope of their access may be further limited within our premises

    13 Information Security Management System Controls


     where a supplier is contracted to manage our information assets, the supplier must
    ensure that an information security management system employed to secure our
    information assets is in place, and complies with ISO 27001:2013

    Supplier Security Policy Page 4 of 5


    Procedure Ref : PO-DSIXXX
    Version : 0.1
    Supplier Security Policy Date : 26/09/2020
    Page : 5/5

    Public Internal Confidential Top Secret

     satisfactory evidence of compliance to ISO 27001:2013 must be provided, preferably


    through formal certification, before any of our information assets are accessed by the
    supplier
    This may go too far, it depends on your circumstances if you wish to limit your
    potential suppliers in this way

     a supplier holding our data on our behalf must have in place processes to ensure that
    such data can be promptly and efficiently recovered following an emergency

     our information may not be copied by any supplier other than as far as is necessary
    for providing the agreed service

     our live data and information may not be used for test purposes
    Data and information to be used for test purposes must be altered, in such a way that
    none of our live data or information can be reconstructed from that used for test
    purposes.

     suppliers must agree to permit, and facilitate, audits of all aspects of their information
    security management system by ourselves, or our appointed agents, and to address
    any findings of such audits in order to preserve the security of information to our
    standards and requirements

     suppliers must have a security incident reporting process in place to a standard and
    design acceptable to ourselves, to ensure that any incidents involving our information
    are immediately reported to us
    Suppliers must agree to undertake any remedial action required by us and ensure
    that this is auditable.

     the transmission of information between ourselves and a supplier must be encrypted


    to a level commensurate with the security classification of the information and to our
    requirements

    1 Records
    Records retained in support of this procedure are listed in the appropriate Controlled
    Records Register and controlled according to the Control of Management System Records
    Procedure.

    Supplier Security Policy Page 5 of 5

    You might also like