5.2.15.1. Aranda Software’s information security policies and procedures must be followed by suppliers designated as critical.
5.2.15.2. It is the responsibility of Aranda employees who interact with suppliers to be familiar with and apply the ISMS policies within the context of such interactions and to report any non-compliance with these policies as a security incident.
5.2.15.3. Non-Disclosure Agreements and Information Exchange Agreements must be established for all suppliers classified as Critical, clearly setting forth the contractor’s obligations and ensuring compliance with the ISMS policies.
5.2.15.4. Information security risks related to suppliers must be identified and assessed before the business relationship begins, and must be monitored periodically from the outset. This monitoring is the responsibility of the information security department, which, in conjunction with the person responsible for the supplier relationship, will determine the risks specific to that relationship.
5.2.15.5. Any access requested by suppliers to information and infrastructure, regardless of where it is stored, must be formally evaluated and approved in accordance with the organization’s Access Control Policy.
5.2.15.6. Suppliers must comply with Section 5.2.2 Inventory of information and associated assets under their responsibility; this covers actions such as storage, transmission, printing, and processing, in accordance with the established procedure for this purpose.
5.2.15.7. Suppliers designated as critical must manage vulnerabilities in the platforms under their responsibility that are involved in the relationship with Aranda. This includes promptly reporting identified vulnerabilities to Aranda Software and the measures to be implemented to mitigate the associated risks.
5.2.15.8. The provider must promptly report any information security incidents that jeopardize the contracted services.
5.2.15.9. The Information Security department must monitor and regularly assess (at least once a year) changes in information security practices at suppliers.
5.2.15.10. Suppliers designated as critical must have a business continuity plan in place.