Security Policy for Suppliers

The purpose of this document is to establish rules for communication/relationships with suppliers and partners.

This document applies to all suppliers and partners who may influence the confidentiality, integrity and availability of confidential and/or strictly confidential information of EBCONT operations GmbH.

Users of this document are the Management of EBCONT operations GmbH as well as all other persons who are responsible for suppliers and partners at EBCONT operations GmbH.

• ISO/IEC 27001:2013
• IT Basic Protection Catalogues

3.1 Identification of the Risks

Security risks associated with suppliers and partners are identified in accordance with the risk analysis and treatment methodology during the risk assessment process. Special care must be taken during risk analysis to identify risks related to information and communication technology as well as risks in connection with the product supply chain. Management decides whether it is necessary to assess additional risks associated with individual suppliers or partners.

3.2 Verification

The Security Officer decides whether it is necessary to review the background of individual suppliers and partners and, if so, which methods are to be applied.

If a partner is ISO 27001 certified, we expect an application of best practices and compliance with legal requirements. In this case, an in-depth security check is not necessary. However, a risk analysis should be carried out and documented in any case.

3.3 Contracts

Management is responsible for deciding which security clauses are to be included in the contract with the respective supplier or partner. This decision must be based on the results of risk assessment and treatment. In addition, the reliable delivery of products and services must be anchored in every contract, especially with cloud service providers.

Management decides whether individual employees of the supplier or partner have to sign the declaration of confidentiality when they work for EBCONT operations GmbH. Management decides who is the contract owner of each individual contract, i.e. who is responsible for the respective supplier or partner.

3.4 Training and Awareness

The contract owner decides which employees of suppliers and partners must complete a safety training and awareness programme. The security officer is responsible for providing all safety training and awareness measures for these employees.

3.5 Monitoring and Verification

The contract owner or their representative must regularly review and monitor the quality level of the services and the fulfillment of the safety clauses by the suppliers or partners, as well as their reports and records, and also assess the supplier or partner according to risk. All security incidents in connection with the tasks of the suppliers or partners must be reported immediately to Management or the Safety Officer.

3.6 Changes in Supplier Services

The contract owner proposes changes or a contract cancellation, the final decision being incumbent on the divisional management or Management. If necessary, the ISMS officers conduct a new risk analysis before the changes are accepted.

3.7 Withdrawal of Access Rights / Return of Codes

If the contract is cancelled, the access rights of suppliers' or partners' employees must also be removed at the same time and in accordance with the Access Control Directive, and it must be ensured that any equipment, software or information is returned in electronic or paper form.

Checklists, Measures	ISO Section	Comment
Information Security Guideline Concerning Supplier Relationships	A.15.1.1
Security Topics in Supplier Contracts	A.15.1.2
ICT Supply Chain	A.15.1.3
Monitoring and Verification of Supplier Services	A.15.2.1
Management of Changes to Supplier Services	A.15.2.2

This document is valid from 1 Jan. 2017.

The owner of this document is Management which reviews the document at least once a year and updates it if necessary.