ISMS CONTROLS - SCM

9 January 2020
AGENDA:

Discuss the following ISMS controls

based on the drafted 1AP
Guidelines:

• Information Security
Requirements in Supplier
Relationship
 VENDOR AGREEMENTS

 Vendor agreements shall be

documented and signed by both
AP/BUs and the vendor to ascertain
that all relevant Information Security,
Legal and Regulatory requirements
will be fulfilled. Non-disclosure
agreements may also be used if there
is a special need for confidentiality of
information and such agreements
must be kept and maintained

Note: These portion will be included in the Accredit to Evaluate Guideline (1AP-SSM-002-G001)
3
 I N F O R M AT I O N S E C U R I T Y R E Q U I R E M E N T S I N
VENDOR AGREEMENTS

 A description of the information to be provided or accessed by each supplier

 Classification of information (Public, Internal, Confidential)
 Legal and regulatory requirements, including data protection, intellectual property rights
and copyright, how they are met
 Obligation of each contractual party to implement an agreed set of controls including
access control, performance review, monitoring, reporting and auditing
 Procedures for authorizing supplier personnel to access or receive AP/BUs information
 Incident management requirements and procedures
 Screening requirements
 Right to audit the supplier processes and controls

4
 VENDOR AGREEMENTS

 New vendor agreements or change

 Changes to the provision of supplier
services shall be managed, taking
account the criticality of business
information, systems and processes
involved and re-assessment of risks.
order may be issued depending on the
type of change in supplier services. For
changes of suppliers, accreditation
process shall be re-performed by
completing all the requirements and
signing vendor agreement.

5
V E N D O R P E R F O R M A N C E E VA L U AT I O N

Performance evaluation shall be carried

out to ensure:

 the vendors' alignment to the

company's requirements
 the vendor’s compliance with the
information security terms and
condition stated in vendor agreements
and
 the vendor’s proper management of
information security incidents

6
 V E N D O R P E R F O R M A N C E E VA L U AT I O N

 Supplier audits shall be conducted and follow-up issues shall be

identified, if deemed necessary.
 Supplier audit trails and records of information security events,
operational problems, failures, tracing of faults and service
disruptions shall be examined during audit.
 For third party software vendors, AP BUs may request copies of
independent audit reports from the vendors such as
SAS70/SSAE16, SOC 1, SOC 2 reports.
 Information security aspects of the vendor’s relationships shall
be reviewed with its own vendors.