Information Security Policy 2020 A process for handling supplier agreements shall be made by Group Procurement and followed by ISS business units before signing supplier agreements. This process shall ensure that Business units defines information access for different types of suppliers. The process shall include: Lifecycle management for supplier relationships Defining Information access for a given supplier, what will be allowed and the needs for monitoring and control Minimum requirements for information security, based on type of supplier access, business needs and a risk assessment Procedures for compliance monitoring of supplier adherence to ISS Information security requirements, and the need for third party reviews Security requirements in communication and information processing. Supplier obligations to protect ISS information Responsibilities for ISS and supplier to handle incidents and contingency Supplier resilience and business continuity plans Awareness training of supplier staff based on the level of supplier access to ISS information and Information processing systems Documentation of Information security requirements and controls signed by both parties. How to handle and maintain Information security in an transition period 15.1.2 Addressing security within supplier agreements Supplier agreements shall be established and documented to ensure that there is no misunderstanding between ISS and the supplier regarding both parties obligations to fulfil relevant information security requirements. The following terms should be included in the agreements in order to satisfy the identified Information security requirements: Description of the information to be provided or accessed and how Classification of information according to ISS standards, if necessary a mapping of ISS and supplier classification Legal and regulatory requirements including personal data protection, IP and copyright, including a description of how this is achieved Obligations of both ISS and supplier to implement controls including access control, reporting and auditing. Rules for acceptable use of information Lists of supplier employees authorized to access ISS information Information security policies relevant to the contract Requirements and procedures for incident management ISS Classification - Restricted - External ISS 15 Supplier relationships Page 2 of 6
Download PDF file