190821 ISO 27001 A.15

A.15.1		供應商關係之資訊安全 Information security in supplier relationships
		目標：確保對供應商可存取之組織資產的保護。 Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.1.1		供應商關係之資訊安全政策 Information security policy for supplier relationships
		減少與供應商存取組織資產之風險的資訊安全需求應與供應商協議並文件化。  Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.

A.15.1.2		供應商協議內闡明安全措施  Addressing security within supplier agreements
		應與每個可能存取、處理、儲存、傳遞或為組織之資訊提供資訊基礎設施元件的供應商建立並協議所有相關的資訊安全需求。  All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.

A.15.1.3		資訊與通信技術供應鏈 Information and communications technology supply chain
		與供應商之協議應包含解決資訊與通信技術服務以及產品供應鏈相關的資訊安全風險之需求。 Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.

A.15.2		供應商服務交付管理  Supplier service delivery management
		目標：維持與供應商協議中所協議的資訊安全與服務交付級別。  Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.15.2.1		供應商服務之監管與審查 Monitoring and review of supplier services
		組織應定期監管、審查與稽核供應商服務之交付。 Organizations shall regularly monitor, review and audit supplier service delivery.

A.15.2.2		供應商服務變更之管理  Managing changes to supplier services
		供應商提供的服務，包括維護與改進現有資訊安全政策、程序與控制措施之變更，應加以管理，並考量所涉及到的營運資訊、系統與程序之關鍵性以及風險的重新評估。  Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.