This article provides an overview of supplier relations factor in security as part of  ISO 27002 compliance.

The objective of information security in supplier relationships is to ensure protection of the organisation’s assets that are accessible by suppliers.

The objective of supplier service delivery management is to maintain an agreed level of information security and service delivery in line with supplier agreements.
Information security in supplier relationships:

  1. Information security policy for supplier relationships – information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented.
  2. Addressing security within supplier agreements – all relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organisation’s information.
  3. Information and communication technology supply chain – agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.

Supplier service delivery management:

  1. Monitoring and review of supplier services – organisations should regularly monitor, review and audit supplier service delivery.
  2. Managing changes to supplier services – changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

For more information please contact Morland-Austin at