ISMS Supplier Security Policy

Fundamental security risks related to suppliers and partners are identified in accordance with the risk assessment and treatment methodology during the risk assessment process.

The Partner Management domain decides whether it is necessary to assess additional risks related to individual suppliers or partners.

The domain Partner Management decides whether it is necessary to check the background of certain suppliers and partners and, if so, which methods are to be used. Such a screening follows the same objectives as the Debt Collection Register and Criminal Records for employees.

The domain Partner Management is responsible for deciding which security clauses to include in the contract with the respective supplier or partner. This decision must be based on the results of the risk assessment and treatment. The clauses on confidentiality and return of assets are mandatory in every contract with suppliers and partners who require access to confidential data. In addition, the reliable delivery of products and services should be anchored in every contract.

A list of recommended clauses can be found in the appendix "Security clauses for suppliers and partners".

Employees of the supplier/partner who work directly for VSHN must sign a confidentiality agreement / NDA, unless this has been agreed in the framework agreement with the supplier/partner.

The domain Partner Management decides who is the contract owner of each individual contract, that is who is responsible for the respective supplier or partner.

External employees who have access to data of VSHN and its customers may be requested by VSHN to participate in security and awareness training courses in accordance with the training and awareness plan.

The CISO is responsible for providing all security training and awareness measures for these employees.

The Contract Owner shall regularly review and monitor the quality level of the services and the fulfillment of the security clauses by the suppliers or partners as well as their reports and records. If the risk classification has shown an increased risk, an audit must be carried out at the supplier/partner at least once a year.

All security incidents in connection with the supplier’s/partner’s tasks must be reported immediately in accordance with the ISMS Security Incident Management Process.

The contract owner proposes changes or termination of the contract and the final decision lies with the management.

If the contract is amended or canceled, the access rights of the supplier/partner’s employees must also be withdrawn at the same time and in accordance with the access control policy.

If the contract is amended or canceled, the contract owner must also ensure that any equipment, software or information is returned in electronic or paper form.

ISO/IEC 22123:2023 defines cloud service as follows:

Conclusion: everything VSHN has in terms of IT is are cloud services and therefore covered by all policies. Goal of this section is to add additional cloud specific guidelines.

Corporate IT maintains a list of cloud services used for internal IT.

New services must use the Annex 2 - Checklist for SaaS/Cloud Services to get approved for corporate IT.

Cloud providers for VSHN Managed Services must be ISO/IEC 27001:2022 or certified or having a similar certification / assurance report. The certificates are reviewed with Annex 2 - Checklist for SaaS/Cloud Services.