Question

Why would you include an information security provision in a contract? Write in 200 words.

Answer 1

Hi,

mentioned each points

1. For information security, valuable and sensitive information will now be handled by suppliers, and without proper treatment, this leads to increased risk of information confidentiality, integrity, or availability being compromised.
2. security should be considered a deliverable, just like any other product or service an organization expects from its supplier.When an organization runs a process to deliver products or services to its client, and adopt best practices like ISO 9001 or ISO 27001, it defines controls to ensure the process is performed with minimized risks to achieve established requirements (e.g., measuring points at critical steps, redundancies, etc.).When an organization decides that outsourcing is a better cost-benefit option, it should not only consider the product or service to be delivered, but also ensure that related processes are properly implemented and controlled by means of security clauses, and most times this is not done, or verified, properly.
3. To ensure that the benefits of outsourcing operations outweigh the risks of including providers in the scenario, contracts should be written properly, and ISO 27001 control A.15.1.2 (Addressing security within supplier agreements) requires an organization to consider security clauses in contracts. Some examples of security clauses are:

• Right to audit: clause ensuring the organization has the right to audit and test the security controls periodically, or upon significant changes to the relationship.
• Notification about security breaches: clause requiring the provider to inform the organization in a timely manner regarding any security breaches that may impact the organization’s business. Generally, this clause is related to data breach notification laws that affect either the organization or the provider, or both.
• Adherence to security practices: clause requiring the provider to adhere to the organization’s security practices, and to communicate any situations where this adherence is not achievable, helping to prevent security gaps or conflicts that could impair security performance.
• Response time to vulnerabilities: clause requiring the provider to provide, in a timely manner, proper treatment for known vulnerabilities that may impact the organization’s business.
• Demonstration of compliance: clause requiring the provider to provide independent evidence that its operations and controls comply with contractual requirements. This can be achieved, for example, by a third-party audit agreed upon by the provider and the organization.
• Management of supplier’s supply chain risks: clause requiring the provider to ensure, within its own supply chain, the fulfillment of the same security clauses applied to the provider.
• Communication of changes: clause requiring the provider to inform the organization in a timely manner regarding changes in its environment that may impact the organization’s business.

• Maintenance of service levels: clause requiring the provider to inform the organization regarding its plans to ensure service levels in normal conditions and during disruptive events, on either the organization’s or the provider’s premises.

  You should note this is not a definitive list and other clauses may arise from risk assessments, and that all contractual clauses should be reviewed by legal personnel to ensure proper wording and application.