Introduction

TeleResult has achieved ISO27001 certification and as part of that needs to assess all new suppliers or partners to ensure its security risk profile is not compromised.

 

A risk assessment is required to establish the likely risk profile if a relationship was to be established. 

 

This assessment is essential as potential suppliers and partners have the ability to influence confidentiality, integrity, and availability of TeleResult's sensitive information. 

 

Reference 

This solution is based on the TeleResult ISMS Control A.15 – Supplier Security Policy.  


Process

The steps are

   

1. Determine if the supplier already has a cyber security certification (eg ISO27001 or SOC2). 
 
Option 1. Engaging partners with existing information security accreditation 

If so, there is an immediate level of assurance for TeleResult that this partner can ensure that their work will deliver the required information security protections.

Before forming a relationship request the Manager Compliance to contact the supplier to confirm details of their ISO certification (looking for valid certificate and what scope is of certification).

Option 2. Engaging partners without existing information security accreditation 

For a potential supplier or partner that does not cyber security certification, the risk assessment must be more in depth.

A list of issues that may require clauses that could be included is given in TeleResult ISMS Control A.15 - Appendix 1:  Security Clauses for Suppliers and Partners.

Depending on the nature of the engagement additional clauses may be required depending on the need of the supplier to support TeleResult Security procedures and processes, see Control A.15 clause 3.2 for example clauses. 

Data Security and Confidentiality Statements may be required by the supplier and their staff working with TeleResult.

2. Risk Assessment / Contract signing

A risk assessment using the TeleResult ISMS Clause 6.1.1 - Risk Assessment and Risk Treatment Methodology needs to be completed. If any risks are assessed as being Medium High or High using the above methodology, approval is required from the Practice Director before any contractual agreement can be signed.

3. After contract signing
  • A Risk will be added to the ISMS risk register and be regularly reviewed.
  • Practice Director and nominated senior staff will decide whether the suppliers or individual employees of the supplier/partner will have to sign the TeleResult Data Security and Confidentiality Statements when working for TeleResult. 
  • Practice Director and General Manager determine those employees that need security awareness and training of the supplier /partner products and services, and work with supplier / partner to train their staff on our security requirements if necessary.
  • Ongoing monitoring of the risk needs to be performed

Change
Who By
When
Reviewed and updated text. Multiple changes
David Street
19/07/2022
Rewritten to improve understanding
David Street
03/08/2022