richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

removed emoji from filenames, Obsidian changed all relevant links

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-07 15:01:04 +02:00
parent d316285a74
commit 68f1c38681
638 changed files with 710 additions and 3176 deletions
Download patch file Download diff file Expand all files Collapse all files

37
Corpus/Sparks/Vendor security MoC.md Normal file
View file

@ -0,0 +1,37 @@
# External suppliers and Vendor security
"In the modern SaaS world, we must consider vendors to be within our security perimeter. As a security team, we need to be able to test their security posture in order to protect our users data".
**Relevant ISO 27002:2022 controls:**
[5.19:](../MoCs/ISO_27002_2022_5.19_MoC%20Information%20security%20in%20supplier%20relationships.md) Information security in supplier relationships | 2013: 15.1.1
[5.20:](../MoCs/ISO_27002_2022_5.20_MoC%20Addressing%20information%20security%20within%20supplier%20agreements.md) Addressing information security within supplier agreements | 2013: 15.1.2
[5.21:](../MoCs/ISO_27002_2022_5.21_MoC%20Managing%20information%20security%20in%20the%20ICT%20supply%20chain.md) Managing information security in the ICT supply chain | 2013: 15.1.3
[5.22:](../MoCs/ISO_27002_2022_5.22_MoC%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md) Monitoring, review and change management of supplier services | 2013: 15.2.1, 15.2.2
[5.23:](../MoCs/ISO_27002_2022_5.23_MoC%20Information%20security%20for%20use%20of%20cloud%20services.md) Information security for use of cloud services | 2013: n/a
[5.31:](../MoCs/ISO_27002_2022_5.31_MoC%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md) Legal, statutory, regulatory and contractual requirements | 2013: 18.1.1, 18.1.5
[6.6:](../MoCs/ISO_27002_2022_6.6_MoC%20Confidentiality%20or%20non-disclosure%20agreements.md) Confidentiality or non-disclosure agreements | 2013: 13.2.4
[8.26:](../MoCs/ISO_27002_2022_8.26_MoC%20Application%20security%20requirements.md) Application security requirements
**Relevant CISSP topics:**
- [1.11 Apply Risk-Based Management Concepts to the Supply Chain](../Standards/CISSP/CISSP_OSG8_D1_C1_1.11.md)
- [1.8.4 Vendor, consultant, and contractor agreements and controls](../Standards/CISSP/CISSP_OSG8_D1_C2_1.8.4.md)
- [Contracting and Procurement](../Standards/CISSP/CISSP_OSG8_D1_C4.md)
See also:
- [Examples of vendor selection questionnaires](Examples%20of%20vendor%20selection%20questionnaires.md)
- [Draft Vendor and Product checklist](../Literature%20notes/Draft%20Vendor%20and%20Product%20checklist.md)
- [Veiligheidseisen aan Leveranciers Junis](../../Clients/Junis/Veiligheidseisen%20aan%20Leveranciers%20Junis.md)
- [Vulnerability Disclosure Policy](Vulnerability%20Disclosure%20Policy.md)
- [Software due diligence](Software%20due%20diligence.md)
- [Checklist for security product vendors assessment](../Literature%20notes/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20security%20product%20vendors%20assessment.md)
- [Checklist for auditing Vendor Management](../Literature%20notes/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Vendor%20Management.md)
- [Treating vendors as a risk](../Literature%20notes/Treating%20vendors%20as%20a%20risk.md)
Examples:
- [Dropbox Supplier Security Requirements](../Literature%20notes/Dropbox%20Supplier%20Security%20Requirements.md)
- [Veiligheidseisen aan Leveranciers Junis](../../Clients/Junis/Veiligheidseisen%20aan%20Leveranciers%20Junis.md)
- [Ubeoo ATS vendor selection Humankind](../../Clients/Humankind/Ubeoo%20ATS%20vendor%20selection%20Humankind.md)
- [Selectie en implementatie van Technologie bij Humankind](../../Clients/Humankind/Selectie%20en%20implementatie%20van%20Technologie%20bij%20Humankind.md)