3.4 KiB
External suppliers and Vendor security
"In the modern SaaS world, we must consider vendors to be within our security perimeter. As a security team, we need to be able to test their security posture in order to protect our users’ data".
Relevant ISO 27002:2022 controls: 5.19: Information security in supplier relationships | 2013: 15.1.1 5.20: Addressing information security within supplier agreements | 2013: 15.1.2 5.21: Managing information security in the ICT supply chain | 2013: 15.1.3 5.22: Monitoring, review and change management of supplier services | 2013: 15.2.1, 15.2.2 5.23: Information security for use of cloud services | 2013: n/a 5.31: Legal, statutory, regulatory and contractual requirements | 2013: 18.1.1, 18.1.5 6.6: Confidentiality or non-disclosure agreements | 2013: 13.2.4 8.26: Application security requirements
Relevant CISSP topics:
- 1.11 Apply Risk-Based Management Concepts to the Supply Chain
- 1.8.4 Vendor, consultant, and contractor agreements and controls
- Contracting and Procurement
See also:
- Examples of vendor selection questionnaires
- Drafting a Vendor and Product checklist
- Veiligheidseisen aan Leveranciers Junis
- Vulnerability Disclosure Policy
- Software due diligence
- Checklist for security product vendors assessment
- Checklist for auditing Vendor Management
- Treating vendors as a risk
Examples: