| Code | EO/ 8 A15 |
| Created by | ISM - Team |
| Approved by | GF |
| Confidentiality Level | Level 1 - Public |
| Version | EO.V02 |
Security Policy for Suppliers
Content
1 Scope of Application
The purpose of this document is to establish regulations for communication and relationships with suppliers and partners.
This document applies to all suppliers and partners that may impact the confidentiality, integrity, and availability of confidential or highly confidential information of EBCONT operations GmbH.
The users of this document include the management of EBCONT operations GmbH and all individuals responsible for suppliers and partners within the company.
2 Reference Documents
- ISO/IEC 27001:2022
- IT Basic Protection Catalogues
3 Relationships with Suppliers and Partners
3.1 Identification of the Risks
Security risks associated with suppliers and partners are identified in accordance with the risk assessment and treatment methodology during the risk evaluation process. The analysis must carefully consider risks related to information and communication technology as well as those associated with the product supply chain. Additional risk assessments for specific suppliers or partners are conducted when necessary.
3.2 Verification
The Information Security Officer determines whether individual suppliers or partners require a background check and, if so, which methods to apply. If a partner is ISO 27001 certified, best practices and legal compliance are assumed, reducing the need for an in-depth security review. However, a risk analysis must always be conducted and documented.
3.3 Contracts
The management decides which security clauses to include in contracts with suppliers and partners, based on risk assessment results. Contracts must ensure reliable product and service delivery, particularly for cloud service providers.
The management also decides whether individual supplier or partner employees must sign a confidentiality agreement when working with EBCONT operations GmbH. Each contract must have an assigned owner responsible for the supplier or partner.
3.4 Training and Awareness
The contract owner decides which supplier and partner employees must participate in security training and awareness programs. The Information Security Officer is responsible for providing these measures.
3.5 Monitoring and Verification
The contract owner or their delegate regularly monitors the quality of services, compliance with security clauses, and evaluates suppliers or partners based on risk. All security incidents involving suppliers or partners must be promptly reported to management or the Information Security Officer.
3.6 Changes in Supplier Services
The contract owner proposes changes or contract termination. Final decisions are made by department heads or management. If necessary, the Information Security Officer conducts a new risk analysis before approving changes.
3.7 Withdrawal of Access Rights / Return of Codes
Upon contract termination, supplier or partner employees must have their access rights revoked per the access control policy. Additionally, all equipment, software, or information (digital or physical) must be returned.
4 Relevance to ISO 27001
| Checklists, Measures | ISO Section | Comment |
|---|---|---|
| Information Security Guideline Concerning Supplier Relationships | A.15.1.1 | |
| Security Topics in Supplier Contracts | A.15.1.2 | |
| ICT Supply Chain | A.15.1.3 | |
| Monitoring and Verification of Supplier Services | A.15.2.1 | |
| Management of Changes to Supplier Services | A.15.2.2 |
5 Validity and Document Management
This document is valid from 1 Jan. 2017.
The owner of this document is Management which reviews the document at least once a year and updates it if necessary.