Last updated: 
1 month 1 week ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Information security management by suppliers

Thursday, August 17, 2017 - 14:04
Particularly when we are buying ICT products and services, information from suppliers is likely to have an emphasis on technical security measures – we’ll get lots of information on encryption, compliance with data protection laws, authentication and datacentres. These are important, but we also need to understand how the supplier manages issues of information security, and how they have decided that these controls are effective at protecting our information.
We ask our suppliers to:
 
  • Provide a description of how information security risks to the service or product supplied are managed.
  • We also provide some further requirements to help our suppliers meet this requirement.
  • If conformance to ISO/IEC 27001:2013 is claimed, please provide a copy of a certificate issued by a certification body accredited by a member of the International Accreditation Forum (e.g. UKAS), and a copy of the statement of applicability referenced by the certificate.
  • If conformance to any other standard is claimed, please provide the equivalent evidence.
It’s important to emphasise that we aren’t mandating that the supplier holds ISO certification, just that it can offer a quick route to providing us with assurance that they meet this requirement. Otherwise we’d expect the supplier to provide more detailed information on how they address information security risk.
You may be interested in my previous blog post on how to check the validity of an ISO certificate.
Some thought is required if we are expecting sole traders and small businesses as suppliers. They may not fully understand the extent and scope of Jisc’s information security concerns, and are less likely to have gained ISO 27001 certification. Schemes such as Cyber Essentials may be more appropriate, and further support and guidance during the procurement process will be necessary.