Audio version of the article
The objective is to maintain an agreed level of information security and service delivery in line with supplier agreements. Once operations of service providers have started, ensuring that the services delivered conform to the specifications of third-party contracts is important. This can include everything from availability levels of the service to something more granular, such as examining the security controls the service provider agreed to in the contract. If there is a great level of dependency upon third-party service providers, checking into service capabilities, plans for handling information security incidents or service disruptions, and business continuity testing may be warranted. Systematic monitoring and reviews of services and controls are also recommended, including scrutinizing service reports provided by the third-party to ensure the information is sufficient and relevant. As business or information technology requirements are modified, this may also require a change in the provision of third-party services, and procedures should be in place to handle any new requirements. Additionally, modifications may also call for a review of existing information security controls to ensure they are adequate.
The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
To maintain an agreed level of information security and service delivery in line with supplier agreements.
ISO 27001 Implementation Guidance
Monitoring, review and change management of supplier services should ensure the information security terms and conditions of the agreements are complied with, information security incidents and problems are managed properly and changes in supplier services or business status do not affect service delivery. This should involve a process to manage the relationship between the organization and the supplier to:
a) monitor service performance levels to verify compliance with the agreements; b) monitor changes made by suppliers including:
- enhancements to the current services offered;
- development of any new applications and systems;
- modifications or updates of the supplier’s policies and procedures;
- new or changed controls to resolve information security incidents and to improve information security;
c) monitor changes in supplier services including:
- changes and enhancement to networks;
- use of new technologies;
- adoption of new products or newer versions or releases;
- new development tools and environments;
- changes to physical location of service facilities;
- change of sub-suppliers;
- sub-contracting to another supplier;
d) review service reports produced by the supplier and arrange regular progress meetings as required by the agreements;
e) conduct audits of suppliers and sub-suppliers, in conjunction with review of independent auditor’s reports, if available and follow-up on issues identified;
f) provide information about information security incidents and review this information as required by the agreements and any supporting guidelines and procedures;
g) review supplier audit trails and records of information security events, operational problems, failures, tracing of faults and disruptions related to the service delivered;
h) respond to and manage any identified information security events or incidents;
i) identify information security vulnerabilities and manage them;
j) review information security aspects of the supplier’s relationships with its own suppliers;
k) ensure that the supplier maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster
l) ensure that suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements;
m) evaluate regularly that the suppliers maintain adequate information security levels.
The responsibility for managing supplier relationships should be assigned to a designated individual or team. Sufficient technical skills and resources should be made available to monitor that the requirements of the agreement, in particular the information security requirements, are being met. Appropriate actions should be taken when deficiencies in the service delivery are observed.
See ISO/IEC 27036-3 for more detail.
This control describes how organizations regularly monitor, review their supplier service delivery. Conducting reviews and monitoring is best done based on the information at risk – as a one-size approach will not fit all. The organization should aim to conduct its reviews in line with the proposed segmentation of suppliers in order to therefore optimize their resources and make sure that they focus effort on monitoring & reviewing where it will have the most impact. Sometimes there is a need for pragmatism – you are not necessarily going to get an audit, human relationship review, and dedicated service improvements with AWS if you are a very small organization. You could, however, check (say) their annually published SOC II reports and security certifications remain fit for your purpose. Evidence of monitoring should be completed based on your power, risks, and value, thus allowing your auditor to be able to see that it has been completed and that any necessary changes have been managed through a formal change control process. The organization cannot overlook the need to manage the risk to their information assets that are accessed, processed, communicated to, or managed by external parties (partners, vendors, contractors, etc.). The service provider should be continuously monitored to assure that services provided are meeting the terms of the contract and security is maintained. There should be an ongoing review of service reports, a process to address concerns and issues, and periodic audits. This section also encompasses documentation and procedures for handling security incidents, including incident reporting, mitigation, and subsequent reviews. Finally, service capability levels must be monitored to ensure that the service provider continues to meet the contract terms and needs of the business. In addition to regular review and monitoring of the services provided, the contracting organization should:
- Conduct audits of suppliers in conjunction with outside assessments
- Require the supplier to promptly notify regarding security incidents
- Provide regular audit trails and records for security events
- Have a conflict resolution process that can be invoked if requirements are not met
Organisations need to take steps to ensure that employees who are responsible for managing SLAs and supplier relationships have the requisite levels of skill and technical resources to be able to adequately assess supplier performance, and information security standards are not being breached. Organisations should draft policies and procedures which:
1) Constantly monitor service levels in accordance with published SLAs, and any shortfalls are addressed.
2) Monitor any changes made by the supplier to their own operation, including but not limited to:
- Service enhancements
- The introduction of new applications, systems or software processes
- Relevant and meaningful revisions to the suppliers internal governance documents
- Any incident management procedural changes, or efforts intended to increase levels of information security
3) Monitor any service-specific changes, including (but not limited to):
- Infrastructure amendments
- The application of emerging technologies
- The roll-out of product updates or version upgrades
- Changes in the development environment
- Logistical and physical changes to supplier facilities, including new locations
- Any changes to outsourcing partners or subcontractors
- The intention to subcontract, where the practice wasn’t previously in place
4) Ask for regular service reports, analyse data and attend review meetings in accordance with agreed levels of service delivery.
5) Audit outsourcing partners and subcontractors and pursue any areas for concern.
6) Review security incidents in accordance with agreed Incident Management standards and practices, and the supplier agreement.
7) Maintain a thorough record of information security events, tangible operational problems, fault logs and general barriers to the service delivery standards that have been agreed.
8) Proactively respond to and take remedial action towards information security-related events.
9) Highlight any information security vulnerabilities and mitigate them to the fullest extent.
10) Analyse any relevant information security factors inherent within the suppliers relationship with its own suppliers and subcontractors.
11) Ensure that service delivery is delivered to acceptable levels following significant supplier-side disruption, including disaster recovery.
12) Outline key personnel in the supplier’s operation who are responsible for maintaining compliance and adhering to the terms of an agreement.
13) Regularly audit a supplier’s ability to maintain a baseline information security standard.
Some external parties provide independent audits based on the Statement on Standards for Attestation Engagements which focuses on the design of controls and their operating effectiveness. When independent audit opinions are not available, the Organization might choose to evaluate the risk themselves. Monitoring can mean different things to different people. It can simply mean to assess, to watch, to keep track of, or to check, usually, with a special purpose. It does not mean or implies to verify or even to test. Actually, monitoring is more of a spectrum that ranges from just “keeping an eye” in the low end to requiring a site audit in the high end. Given the availability of resources at the Organization of higher education, verification could be an impractical and significantly costly requirement if applied to all or most suppliers
Effective monitoring of suppliers requires a process or methodology in place that defines the approach to take based on the risk of the supplier or engagement – activities should be more stringent and closer to the high end of the spectrum as risk increases or when exceptional situations warrant them. The organizational policy may refer to instances in which the sharing of sensitive data will result in a significant risk. Again, “significant” can mean a number of things but, ultimately, depends on the organization’s risk management practices and risk tolerance (i.e., what is an acceptable risk). Only in cases of very high risk or when exceptional situations may warrant it should supplier monitoring include a requirement to perform a site audit, or results of a Statement on Standards for Attestation Engagements audit, or results of an audit performed by an independent auditor. What should an organization do to monitor compliance with agreement requirements in most cases? Define the incremental risk to the organization when engaging a supplier as well as defining a due diligence process for mitigating those risks – third-party risk from remote access, data transmission and offsite storage. Consider the following as an outline for a contract monitoring process:
1. During System / Application / Process Implementation
a. Identify the individual(s) responsible for monitoring the relationship with the supplier.
b. During project status meetings:
- i. Assess and review status reports regarding progress made in the implementation of the security requirements included in the contract and/or statement of work.
- ii. Identify new areas or security requirements that may arise from changes in scope
c. If applicable, perform or request audit of vendor security practices and procedures and/or perform a penetration test. It may be necessary to include a legal review by general counsel, as well.
d. During final test and prior to sign-off
- i. Test system/application/process security functionality required in the contract
- ii. Review progress reports and determine if all security requirements included in the contract and/or statement of work were completed.
e. If applicable, perform application scan
2. Post Implementation
a. Follow up with system/application/process owner.
- i. Require the owner to perform a risk assessment based on policy (annual if high risk or mission-critical and bi-annual for the rest)
- ii. Review with the owner the risk assessment results. Any concerns? Any problems? Any unknowns that need to be addressed with the vendor?
b. Follow up with the supplier. Access logs available? Any pending items resolved? Are things on their end as expected? Any owner concerns? Risk assessment identified deficiencies?
c. Based on risk (annually or bi-annually), resubmit third-party information security risk assessment to assess what has changed, what needs closer scrutiny, or identify inconsistencies with previous assessments
d. Establish a working relationship with your supplier
e. Participate in supplier’s product improvement committee. What changes are been considered? How would they impact the organization’s risk and security postures
f. Review security incidents involving the system/application/process. Are these due to non-compliance?
g. If applicable, based on the contract, require subsequent assurance tests.
For currently established suppliers, assess their risk (if it has not already been done), and start with the steps listed in the Post Implementation section above as needed. It is important to keep in mind that supplier monitoring is the last step of a cascading progression. The initial identification of process and data impacted as well as initial security requirements are used to formulate purchasing requirements. The answers to the requirements are used to evaluate potential suppliers and refine security requirements. The evaluation and risk assessment of finalists refine the security requirements that will, in turn, be added as the language to the contract or statement of work. And, finally, it is the final contract and corresponding risk level that determine the appropriate supplier monitoring approach.
A good control describes how any changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures, and controls, are managed. It takes into account the criticality of business information, the nature of the change, the supplier type/s affected, the systems and processes involved, and a re-assessment of risks. Changes to supplier’s services should also take into account the intimacy of the relationship and the organization’s ability to influence or control change in the supplier. All technology systems are undergoing a continuous upgrade, change, and repair. Changes to service provisions by suppliers should be managed and documented, taking into account the sensitivity of information and services and re-assessment of risks. The contracting organization should determine how to integrate its change management process with that of the supplier. Items to consider include:
• Service enhancements
• Bug fixes
• Use of new technology
• New development tools
• Enhanced security measures
• Change of subcontractor
• Change of physical sites
Where possible, supplier changes should be integrated with the contracting organization’s change management processes.
If you need assistance or have any doubt and need to ask any questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.