Checklist of ISO/IEC 27001-A.15.1.3 Information and communication technology supply chain

Introduction:

With the increasing reliance on information and communication technology (ICT) to run businesses, organizations need to ensure the security and integrity of their ICT supply chain. 

However, this can be a challenging task, especially when parts of the supply chain are subcontracted. 

It is crucial to verify the security requirements of all acquired products, including goods and services. 

Additionally, organizations need to ensure resilience when critical products or services are supplied by others. 

This article provides a checklist for organizations to assess how information risk and security practices propagate throughout the supply chain, especially when parts are subcontracted.

Sample Checklist:

Verify Security Requirements of Acquired Products

  • Develop a list of security requirements that all acquired products must meet.
  • Ensure that these security requirements are communicated to all suppliers in the supply chain.
  • Obtain evidence from suppliers that they are meeting the security requirements.
  • Use a risk-based approach to assess the security requirements of acquired products.
  • Monitor the performance of suppliers in meeting the security requirements.

Achieving Resilience

  • Identify all critical products or services that are supplied by others.
  • Develop a contingency plan in case the supplier is unable to deliver the critical products or services.
  • Test the contingency plan to ensure that it is effective.
  • Monitor the performance of suppliers in delivering critical products or services.
  • Consider alternative suppliers to ensure resilience.

Tracing the Origin of Products

  • Develop a process to trace the origin of products, including firmware and embedded systems.
  • Ensure that all suppliers in the supply chain provide information about the origin of their products.
  • Verify the accuracy of the information provided by suppliers.
  • Develop a process to handle any issues related to the origin of products, including firmware and embedded systems.
See also  Checklist of ISO/IEC 27001-A.15.2.1 Monitoring and review of supplier services

Conclusion:

Organizations need to pay attention to their ICT supply chain to ensure that their products and services are secure and resilient. 

They need to verify the security requirements of acquired products, ensure resilience when critical products or services are supplied by others, and trace the origin of products, including firmware and embedded systems. 

By using the checklists provided in this article, organizations can assess how information risk and security practices propagate throughout the supply chain and take appropriate action to address any issues.

Leave a comment

Your email address will not be published. Required fields are marked *