Information security with suppliers
1. General
This document describes the basic handling of information security among suppliers, the handling of subcontractors/sub-suppliers and the IT security regulations for M&M suppliers that must be observed when using information and IT devices (e.g. desktop PCs, notebooks, smartphones, tablets).
The specifications are aimed at the management of the suppliers, their employees and their vicarious agents (hereinafter referred to as contractors).
The management is obliged to independently pass this document on to its employees, vicarious agents and, if necessary, sub-suppliers.
1.1 Norm reference / standard
| Norm / Standard | Control |
| ISO 27001:2022 | A.5.19; A.5.20; A.5.21 |
| Information security |
1.1 Normverweis / Standard
Lieferantenmanagement
2. Exchange of information
During all conversations about M&M’s confidential or secret information, including telephone conversations, care must be taken to ensure that these cannot be overheard by unauthorized persons. It must be ensured that all necessary and appropriate precautions (e.g. encryption) are taken to protect the information during transport from unauthorized access, alteration and deletion (including by family members and friends).
3. Physical transport of media
In general, data carriers containing M&M information must be protected from unauthorized access, misuse or falsification during transport, even across organizational boundaries.
It is important to ensure that all necessary and appropriate precautions (e.g. encryption) are taken to protect the information during transport from being viewed, changed and deleted by unauthorized persons (this also includes members of the family and friends). Data carriers must be transported concealed. Data carriers containing secret information must always be transported accompanied by an employee of the supplier/contractor. Documents must be protected from being viewed, e.g. in a non-transparent folder.
4. Physical transport of notebooks
Notebooks on which M&M information is stored must be transported in such a way that they cannot be viewed from the outside. In addition, when used in public, care must be taken to ensure that third parties cannot read screen information and/or spy on the entry of secret authentication information.
5. Handling information security incidents and communications
Serious information security events (e.g. disruptions, data loss, illegal actions, cybercrime attacks) must be reported immediately to the information security contact (ISB) at isb.de@mumnet.com. If you suspect that confidential or secret information has been lost, this must also be reported to the contact person for information security (ISB).
6. Information security compliance (supply chain)
When commissioning subcontractors/subcontractors, the supplier/contractor must ensure that the M&M requirements for compliance with information security in accordance with TISAX or ISO27001 are also adhered to by the subcontractors/subcontractors. This also includes concluding confidentiality agreements with subcontractors/subcontractors. Proof of compliance is the responsibility of the supplier/contractor and must be provided to M&M at any time upon request.
If the supplier/contractor is entitled to award subcontracts, he is fully liable for this, regardless of any contractual or legal limitations or exclusions of liability.
7. Audit Rights Regarding Information Security
The supplier/contractor grants M&M the right, which can be exercised at any time, to view and examine, after prior registration, all data relating to the business transactions between the supplier/contractor and M&M with regard to information security and to review the IT and data security measures.
For this purpose, employees of M&M or third parties commissioned by M&M are entitled to enter the business premises of the supplier/contractor during normal business hours. The costs of the inspection are borne by the supplier/contractor if violations of information security and/or the agreements of the respective order are discovered, unless these violations are not due to the contractor’s fault.
8. Confidentiality agreement between the supplier/contractor and its employees
The supplier/contractor of M&M undertakes to conclude a confidentiality agreement (separately or as part of the employment contract) with all of its employees who receive information from M&M as part of the collaboration or have access to such information. Proof of compliance is the responsibility of the supplier/contractor and must be provided at any time upon M&M’s request.
9. Subcontractors/Subcontractors
The engagement of additional contractors (subcontractors) by the supplier/contractor when handling secret project data/in relation to secret projects requires the express written consent of M&M. Consent can be revoked at any time. This applies in particular if serious breaches of duty or significant misconduct by the subcontractor or his vicarious agents justify this. In addition, extraordinary termination for good cause and/or claims for damages can be asserted.
10. Contact person
If you have any further questions, please contact the contact person on the topic
Information security:
Maja Scheunemann, isb.de@mumnet.com