ISMS Supplier Security Policy
ISMS Supplier Security Policy
ISMS Supplier Security Policy
Internal document
Procedure Ref : PO-DSIXXX
Version : 0.1
Supplier Security Policy Date : 26/09/2020
Page : 2/5
1 Introduction
2 Scope
This policy sets out VOICECOM’s requirements that must be met by contractors in the
handling, management, storage and processing its information.
3 Revision History
Revision Date Record of Changes Approved By
0.1 09.26.2020 Initial Issue
5 References
Standard Title Description
ISO 27000:2014 Information security management systems Overview and vocabulary
ISO 27001:2013 Information security management systems Requirements
ISO 27002:2013 Information technology - security Code of practice for information security
techniques controls
ISO 19011:2011 Auditing Management Systems Guidelines for auditing
6 Definitions
our “compliance obligations” are our information security obligations under law,
regulation, contract and ISO 27001
“staff” and “users” means all of those who work under our control, including
employees, contractors, interns etc.
7 Responsibilities
The <ISMS Manager> and <Purchasing Manager> are jointly responsible for all aspects of
the implementation and management of this procedure, unless noted otherwise.
Managers and supervisors are responsible for the implementation of these arrangements
within the scope of their responsibilities and must ensure that all staff under their control
understand and undertake their responsibilities accordingly.
8 Information Security
This policy has been framed as a generic policy for your guidance. It may need editing to
meet your specific requirements.
9 General
We require that the security of our information to be maintained in order to ensure that we
are able to rely on our information for our business needs and to meet our compliance
obligations.
11 Compliance obligations
List your legal, regulatory and contractual obligations here.
Public / Internal / Confidential (Delete as appropriate] Records Acts 1958 and 1967
access granted to information assets will be the minimum necessary to achieve the
required purposes
all of our equipment and security passes must be returned prior to the termination of
the contract
persons granted access to our information assets must comply with our security
requirements
Failure to comply with these requirements and other relevant instructions may
constitute a breach of contract and lead to termination or legal action.
we may monitor the use of its information assets for business purposes
removable media (including laptops and tablets) may only be used to manage our
information with our explicit consent
supplier personnel may only enter our premises with an appropriate security pass
and the scope of their access may be further limited within our premises
a supplier holding our data on our behalf must have in place processes to ensure that
such data can be promptly and efficiently recovered following an emergency
our information may not be copied by any supplier other than as far as is necessary
for providing the agreed service
our live data and information may not be used for test purposes
Data and information to be used for test purposes must be altered, in such a way that
none of our live data or information can be reconstructed from that used for test
purposes.
suppliers must agree to permit, and facilitate, audits of all aspects of their information
security management system by ourselves, or our appointed agents, and to address
any findings of such audits in order to preserve the security of information to our
standards and requirements
suppliers must have a security incident reporting process in place to a standard and
design acceptable to ourselves, to ensure that any incidents involving our information
are immediately reported to us
Suppliers must agree to undertake any remedial action required by us and ensure
that this is auditable.
1 Records
Records retained in support of this procedure are listed in the appropriate Controlled
Records Register and controlled according to the Control of Management System Records
Procedure.