Interdependencies between essential and important entities
ENISA Interdependencies Indicators Tool
ISO IEC 27002 control name | EXAMPLE OF IMPLEMENTATION |
---|---|
Managing changes to supplier services
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
Review the changes related to supplier services related to information security. Measure their financial value. |
Monitoring and review of supplier services
Organisations should regularly monitor, review and audit supplier service delivery. |
Measure that number of agreements that are not fully adhered to and the related incidents. Measure the penalties and other economic features. |
Information security policy for supplier relationships
Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented. |
The number of supplier contracts, the type of services provided and the impact of those services to the organisation, provide for an estimation of the economic impact of NIS incidents. |
Information and communication technology supply chain
Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. |
Review the supplier agreements with focus to dependencies of critical services, their economic value and the related penalties. |
Addressing security within supplier agreements
All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information. |
Calculate the amount of penalties arising from the violation of supplier agreement. Calculate the amount of each agreement. These numbers will show the economic impact on related suppliers either from a loss of contract or from the violation of one. |