Policy for supplier relationships (A.15)

Information security requirements for mitigating the risks associated with supplier’s access to the organization's assets shall be agreed with the supplier and documented. (A.15.1.1)

All contractors entitled to access Aarhus University's systems, information and buildings must be made aware of the relevant parts of Aarhus University's information security policy and subjacent policies before establishing the required access.

Suppliers must not have unnecessary physical access to the university's secure areas and appropriate access controls must always be used.

Where the associated risk assessment gives reason for stricter precautionary measures against unintentional access and publication, confidentiality declarations from relevant contractors must be included in the contractual basis.

All relevant information security requirements shall be established and agreed with each supplier that may, process, store, communicate, or provide IT infrastructure components for the organization’s information. (A.15.1.2)

The security level of all suppliers including outsourcing partners must be acceptable, as demanded by the risk assessment.

Overall, information security at Aarhus University must not be impaired because a task has been outsourced. In this respect, the responsible unit is responsible for reviewing an outsourcing partner's security policy and general security level before entering into a contract. The contractual basis for outsourcing must contain regulations appropriate for the associated risk assessment concerning penalties for breach of contract and provide the necessary support for the exit strategy from the supplier relationship.

When information assets pertaining to personal data are affected by outsourcing, there must be stricter attention to the requirements in the Danish Act on Processing of Personal Data (Persondataloven) and guidelines set out by the Danish Data Protection Agency.

Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. (A.15.1.3)

A contractual basis with suppliers, including outsourcing partners, must include requirements for updated documentation of the supply chain for the deliverable. The supplier is also responsible for ensuring compliance with the relevant security requirements by all of its contractors in the supply chain involved.

In connection with the establishment of agreements on outsourcing, and if the risk assessment so dictates, the supplier must be required to submit a statement of assurance or certification in accordance with ISO 27001 or another approved equivalent standard.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. A.15.1.1 Information security policy for supplier conditions: If the risk assessment gives reason for stricter precautionary measures against unintentional access and publication, confidentiality declarations (NDAs) from relevant contractors must be included in the contractual basis. Re. A.15.1.2 Managing security in supplier agreements: With respect to information assets similar to personal data, see the Danish Act on Processing of Personal Data (Persondataloven) and guidelines issued by the Danish Data Protection Agency, see information under the Data Protection Unit established at Aarhus University. This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.  If you have other needs based on your risk assessment, this must be ensured locally. Locally: advice and guidance can be found at: supplier management plays an important role in handling information security (secure digital)

Organisations shall regularly monitor, review and audit supply service delivery. (A.15.2.1)

The unit responsible for the agreement must establish supplier management, which includes processes for regular control of the supplier or outsourcing partner. The basis for the agreement with these must facilitate access to a level of monitoring of services. Where the current risk assessment so requires, control must be through direct measurement and inspection of the supplier's services and level of security. In other cases, indirect control must be exercised in line with the risk assessment and the basis of agreed reporting and documented audit and co-operation processes concerning, for example, operating and contractual conditions.

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of the risks. (A.15.2.2)

Current risk management must be revised in the event of changes to significant supplier relationships, such as replacement of the main supplier or sub suppliers. This applies particular in connection with extensions of services, commissioning of new technologies, products or versions, as well as changes to the physical locations and facilities of the service.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. A. 15.2.1 Monitoring and review of supplier services: At AU, supplier management is secured through system management  Re. A.15.2.2 Management of changes to supplier services: For SaaS solutions, see (LINK to DBE about Cloud)  This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.