Information Security Policy 2020 This policy applies to the entire ISS Group including all subsidiaries and companies controlled by ISS and some material subcontractors based on a risk assessment. for Information Security within ISS World Services A/S and all its subsidiaries. The Information Security Policy is supplemented by practical implementation guidance within the Procedure for Information Security. The Procedure for Information Security constitute the technical document to facilitate and guide implementation of information security controls, based on control objectives defined within the Information Security Policy. The Policy is reviewed and approved annually, whereas the Procedure is reviewed and approved by the Information Security Risk Committee. The Procedure and its technical controls and guidance must be aligned with the Minimum Baseline found within the Information Security Policy. The Information Security Policy and Procedure constitute the Minimum Baseline within ISS and can be supplemented by extended controls. Implementation of extended controls, exceeding the Minimum Baseline, are all subject to risk, commercial and regulatory review and assessment. 15.1 Information security in supplier relationships Information and assets can be put at risk by suppliers with inadequate information security management. Therefor ISS shall identify and apply contractual obligations to suppliers and subcontractors in order for them to access or handle ISS information and information processing facilities correctly. Suppliers can be external vendors, subcontractors or consultants. Objective To ensure protection of the ISS and Customer information and assets that is accessible by suppliers. 15.1.1 Information security policy for supplier relationships No matter the contractual obligations that ISS impose on suppliers Information security wise, ISS remains ultimately responsible and accountable for protection of all information handled by suppliers on behalf of ISS and our customers. It is therefore the responsibility of ISS contract management and legal, to ensure that information security requirements are embedded in supplier contracts. Before entering agreements with suppliers, ISS business units shall identify supplier IT, logistic and financial services including infrastructure components that will be allowed to access ISS information. ISS Classification - Restricted - External ISS 15 Supplier relationships Page 1 of 6
Download PDF file