5.20 Addressing Information Security Within Supplier Agreements

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

With this control in place organisations can help ensure that their information is adequately protected and that their expectations and requirements for information security are clearly communicated to their suppliers.

When addressing information security within supplier agreements, it is important for organisations to clearly define their expectations and requirements for protecting sensitive or confidential information. This can be done through the inclusion of specific clauses in the agreement that outline the responsibilities of both parties in relation to information security.Some specific clauses that organisations may consider including in supplier agreements to address information security are:

• Data protection and confidentiality clause: This clause outlines the responsibilities of the supplier in relation to protecting the organisation's sensitive or confidential information. It may include requirements for the supplier to implement appropriate technical and organisational measures to protect the information and ensure that all employees or contractors who have access to the information are bound by confidentiality agreements.
• Data breach notification clause: This clause outlines the procedures the supplier must follow in case of a data breach or unauthorised access to the organisation's information. This may include requirements for the supplier to promptly notify the organisation of any such incidents and cooperate with any investigations or remediation efforts.
• Data disposal clause: This clause outlines the procedures the supplier must follow when disposing of any physical or electronic media containing the organisation's sensitive or confidential information. This may include requirements for the supplier to securely erase or destroy the information in a manner that meets industry standards.