Introduction to ISO 27001 and supplier management
A third-party supplier can pose a significant risk to the confidentiality, integrity and availability of an organisation’s information assets. Consequently, effective relationships with suppliers are critical to an enterprise’s operations. Today’s connected world means that internal information security procedures can only go so far in their protection, wherever a third party has access to your systems, data or premises, there are security risks to your organisation. Therefore, organisations must pay attention to their broader supplier ecosystem – and the role it plays in maintaining the security of the information entrusted to them. Managing third-party suppliers is paramount to the security of your infrastructure.
The importance of appropriate supplier management is reinforced in ISO 27001, the international standard for information security, in the section dedicated to Supplier Relationships.
Establish a policy and define your requirements
The ISO 27001 standard mandates the development of an information security policy for supplier relationships. This document should outline your organisation’s requirements for mitigating the risks associated with any supplier’s access to its assets. These requirements will depend on the size and maturity of your organisation as well as the industry in which it operates. It will often involve necessary certifications, such as the supplier also being certified to ISO 27001, or the completion of a security due diligence questionnaire that requests clarification from the supplier on their own information security frameworks. This can then be evaluated against your own requirements and support a decision on whether the supplier is appropriately protected.
Address security within supplier agreements
Your information security requirements should be identified, agreed and documented with each supplier that may access, process, store, communicate, or provide IT infrastructure components for your organisation’s information.
These requirements should be formally detailed in contractual agreements or specific supplier security agreements. To help with this process, you can read our blog on important questions to ask your supply chain.
Information and communication technology supply chain
The standard requires that agreements with suppliers also include provisions to address the information security risks associated with information and communications technology services and product supply chains.
This means that it is appropriate for you to verify that your suppliers have processes in place to assure themselves (and you!) of the security of their supply chain. This can be achieved by performing due diligence in the form of a questionnaire, focussed audits or as a clause within contractual agreements.
Complete an appropriate level of due diligence
Due diligence may involve a simple background or terms check for suppliers who do not pose a high level of risk, with requirements increasing in line with the risk to your organisation. This may mean that it may be sufficient to expect some suppliers to be certified to ISO 27001, whereas suppliers with more in-depth access to systems or information could require additional control and assurance, such as completion of a questionnaire about their security frameworks, or even being subject to a focussed audit of their information security management system.
When considering due diligence, it is important to define the requirements that you expect suppliers to meet. These requirements are usually governed by your organisation’s risk appetite. Requiring suppliers who have some level of access to your organisation’s information to be compliant with ISO 27001 (or an equivalent security standard) is generally a good starting point.
Maintain a register of approved suppliers
The outcome of your due diligence should be formally documented and auditable. For many organisations, an ideal way to do this is to maintain a register of approved suppliers, in which the details of the supplier, their contract with you, and the due diligence completed can be recorded. This also means that it is clear to your staff which suppliers have been cleared for use, saving time and effort in the event that a supplier’s services are required at short notice. Any suppliers who do not meet the security requirements of the organisation should also be listed and clearly marked, to remind staff not to select them.
Due diligence activities should be periodically reviewed and/or repeated, to validate that the contractual agreements and NDAs are still current and relevant.
Monitor and review the service you get from third-party suppliers
Consider establishing a process for the periodic review of the services that suppliers deliver. Regular reviews of supplier service delivery can have several benefits. These can include highlighting breached contractual requirements or missed SLAs, trends, and identification of service improvements, and can help you understand supplier risks and the possible business impacts that this may result in. Ideally, contractual agreements with suppliers should contain mutually agreed SLAs and you should expect regular reporting against the SLAs and hold suppliers to account where these are missed.
Organisations are constantly changing; a supplier that was deemed secure yesterday may no longer be today. Therefore, it is pivotal to ensure that supply chain cyber risk programmes are dynamic and ongoing. They should not stop after procurement but continue throughout the whole relationship life cycle. Monitoring practices include reviewing that cybersecurity requirements are being met, identifying areas for improvement, and regularly assessing supplier controls.
Understand how to manage changes to supplier services
If either party in a supplier relationship makes internal changes that affect the service provided, either in terms of technology or processes, it is important that you have agreements in place that mandate appropriate notifications. It is also important that you have processes in place internally that help you understand the changes and the impacts that may be felt. Changes could be risk assessed against defined criteria where appropriate or discussed at regular management meetings.
Supplier information security evaluation and management are essential components of an efficient and effective Information Security Management System (“ISMS”). Moreover, a resilient, secure supply chain can help organisations reduce the likelihood of security incidents. If you would like to learn more about this topic, read our Guide to Supply Chain Security.
If you’re thinking of gaining ISO 27001 accreditation, we’re here to help wherever you are on your decision path. We can help with an initial workshop, carry out a complete gap analysis, support your ISO 27001 project or manage your ISMS for you. If you’d like to understand more about our service, we’d be delighted to hear from you. Find out more about our services, or contact our friendly team today.
Image by vectorjuice on Freepik