5.2.15.1. Aranda Software's information security policies and procedures must be complied with by suppliers defined as critical.
5.2.15.2. It is the responsibility of Aranda employees who have a relationship with suppliers, know and apply the ISMS policies within the framework of that relationship and alert any breach of them as a security incident.
5.2.15.3. Confidentiality Agreements and Information Sharing Agreements must be generated for all suppliers classified as Critical, clearly stating the contractor's obligations and establishing compliance with ISMS policies.
5.2.15.4. Information security risks related to suppliers must be identified and evaluated before starting the business relationship, and are monitored periodically from the beginning. This monitoring is the responsibility of the information security area who, together with the person responsible for the relationship with the supplier, shall determine the risks inherent to such relationship.
5.2.15.5. Access required by suppliers to information and infrastructure, regardless of its storage location, must be formally evaluated and approved in accordance with the organization's Access Control Policy.
5.2.15.6. Suppliers must comply with numeral 5.2.2 Inventory of information and associated assets under their responsibility; this defines actions such as storage, transmission, printing and processing, in accordance with the Procedure established for this purpose.
5.2.15.7. Suppliers defined as critical must perform vulnerability management of the platforms that are under their responsibility and that are involved in the relationship with Aranda. This includes timely reporting to the Aranda Software Organization of identified vulnerabilities and measures to be implemented to mitigate the associated risks.
5.2.15.8. The supplier must report in a timely manner information security events that jeopardize the contracted services.
5.2.15.9. The Information Security area shall regularly (at least once a year) monitor and evaluate changes in information security practices at suppliers.
5.2.15.10. Suppliers defined as critical shall have a business continuity plan in place.