ISMS Supplier Security Policy

1. Purpose, Scope and User

The purpose of this document is to define rules for relationships with suppliers and partners.

This document applies to all suppliers and partners who have the possibility to influence the confidentiality, integrity and availability of sensitive information of VSHN AG.

2. Relationships with Suppliers and Partners

2.1. Identification of Risks

Fundamental security risks related to suppliers and partners are identified in accordance with the risk assessment and treatment methodology during the risk assessment process.

The Partner Management domain decides whether it is necessary to assess additional risks related to individual suppliers or partners.

2.2. Screening

The domain Partner Management decides whether it is necessary to check the background of certain suppliers and partners and, if so, which methods are to be used. Such a screening follows the same objectives as the Debt Collection Register and Criminal Records for employees.

2.3. Contracts

The domain Partner Management is responsible for deciding which security clauses to include in the contract with the respective supplier or partner. This decision must be based on the results of the risk assessment and treatment. The clauses on confidentiality and return of assets are mandatory in every contract with suppliers and partners who require access to confidential data. In addition, the reliable delivery of products and services should be anchored in every contract.

A list of recommended clauses can be found in the appendix "Security clauses for suppliers and partners".

Employees of the supplier/partner who work directly for VSHN must sign a confidentiality agreement / NDA, unless this has been agreed in the framework agreement with the supplier/partner.

The domain Partner Management decides who is the contract owner of each individual contract, that is who is responsible for the respective supplier or partner.

2.4. Training and Awareness

External employees who have access to data of VSHN and its customers may be requested by VSHN to participate in security and awareness training courses in accordance with the training and awareness plan.

The CISO is responsible for providing all security training and awareness measures for these employees.

2.5. Monitoring and Auditing

The Contract Owner shall regularly review and monitor the quality level of the services and the fulfillment of the security clauses by the suppliers or partners as well as their reports and records. If the risk classification has shown an increased risk, an audit must be carried out at the supplier/partner at least once a year.

All security incidents in connection with the supplier’s/partner’s tasks must be reported immediately in accordance with the ISMS Security Incident Management Process.

2.6. Changes to or Termination of Supplier Services

The contract owner proposes changes or termination of the contract and the final decision lies with the management.

2.7. Withdrawal of Access Rights / Return of Assets

If the contract is amended or canceled, the access rights of the supplier/partner’s employees must also be withdrawn at the same time and in accordance with the access control policy.

If the contract is amended or canceled, the contract owner must also ensure that any equipment, software or information is returned in electronic or paper form.

3. Cloud Services

VSHN does not own or manage physical hardware. Internal IT services and services provided to customers are hosted on cloud-based platforms.

3.1. Definition of Cloud Service

ISO/IEC 22123:2023 defines cloud service as follows:

3.1.1 cloud computing

paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand
Note 1 to entry: Examples of resources include servers, operating systems, networks, software, applications, and storage equipment.

3.1.2 cloud service

one or more capabilities offered via cloud computing (3.1.1) invoked using a defined interface

— ISO/IEC 22123:2023

Conclusion: everything VSHN has in terms of IT is are cloud services and therefore covered by all policies. Goal of this section is to add additional cloud specific guidelines.

3.2. Cloud Services for Internal IT

Corporate IT maintains a list of cloud services used for internal IT.

New services must use the Annex 2 - Checklist for SaaS/Cloud Services to get approved for corporate IT.

3.3. Cloud Services for Managed Services

Cloud providers for VSHN Managed Services must be ISO/IEC 27001:2022 or certified or having a similar certification / assurance report. The certificates are reviewed with Annex 2 - Checklist for SaaS/Cloud Services.

4. Reference Documents

ISO 27001:2022 ISO 27001:2013 Control

A.5.11

A.8.1.4

Return of assets

A.5.19

A.15.1.1

Information security in supplier relationships

A.5.20

A.15.1.2

Addressing information security within supplier agreements

A.5.21

A.15.1.3

Managing information security in the information and communication technology (ICT) supply chain

A.5.22

A.15.2.1, A.15.2.2

Monitoring, review and change management of supplier services

A.5.23

N/A

Information security for use of cloud services

A.6.1

A.7.1.1

Screening

A.6.2

A.7.1.2

Terms and conditions of employment

A.6.3

A.7.2.2

Information security awareness, education and training

A.8.30

A.14.2.7

Outsourced development