ISMS Control of Outsourced Processes
ISMS Control of Outsourced Processes
ISMS Control of Outsourced Processes
1 Introduction
2 Scope
This procedure sets out how <Short Name> identifies and controls outsourced processes
that may pose a threat to our information security.
3 Revision History
Revision Date Record of Changes Approved By
0.0 [Date of Issue] Initial Issue
5 References
Standard Title Description
ISO 27000:2014 Information security management systems Overview and vocabulary
ISO 27001:2013 Information security management systems Requirements
ISO 27002:2013 Information technology - security Code of practice for information security
techniques controls
ISO 19011:2011 Auditing Management Systems Guidelines for auditing
6 Definitions
an “outsourced process” is a process that is required by <Short Name>, but which
<Short Name> chooses to have performed by an external party
“staff” and “users” means all of those who work under our control, including
employees, contractors, interns etc.
7 Responsibilities
The <ISMS Manager> and the <Purchasing Manager> are jointly responsible for all aspects
of the implementation and management of this procedure unless noted otherwise.
informing the <ISMS Manager> about any processes they wish to outsource which
may have implications for information security
ensuring that all staff under their control understand and undertake their
responsibilities accordingly.
9 Records
Records retained in support of this procedure are listed in the ISMS Controlled Records
Register and controlled according to the Control of Management System Records
Procedure.