External suppliers are a vital component of business operations. Suppliers may have access to a wide range of information from the supported organization. Once shared with a supplier, direct control of this information is lost, regardless of sensitivity or value. As a result, appropriate technical and contractual controls and mitigation processes must be established with all external suppliers. One essential control would be to ensure the existence of a data-sharing agreement that clearly delineates roles and responsibilities. Some data privacy regulations may have specific data sharing requirements that must be met. The contracting organization should understand that the management of external providers is a life cycle. Part of this cycle is a process to monitor and continuously assess provider performance and compliance. A variety of tools may be used to assess and validate external supplier data protection practices. In almost all cases, some mitigation will be contractual and requires extensive documentation. In addition to protecting information handled and used by external suppliers, the organization must also assess service availability. If business-critical data or functions are supported by an external entity, then the provider’s disaster recovery processes are integral to the recovery processes of the hiring entity. Agreements regarding the return of data in the event of contract termination or unexpected closure should also be considered within the life cycle.
This control is about information security in supplier relationships. The objective here is the protection of the organization’s valuable assets that are accessible to or affected by suppliers. The organization must also consider other key relationships here too, for example, partners if they are not suppliers but also have an impact on your assets that might not simply be covered by a contract alone. This is an important part of the information security management system (ISMS) especially. Let’s understand those requirements and what they mean in a bit more depth now. The contracting organization should understand that the management of external providers is a life cycle. Part of this cycle is a process to monitor and continuously assess provider performance and compliance. A variety of tools may be used to assess and validate external supplier data protection practices. In almost all cases, some mitigation will be contractual and requires extensive documentation. In addition to protecting information handled and used by external suppliers, the organization must also assess service availability. If business-critical data or functions are supported by an external entity, then the provider’s disaster recovery processes are integral to the recovery processes of the hiring entity. Agreements regarding the return of data in the event of contract termination or unexpected closure should also be considered within the life cycle.
Control
Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
Purpose
To maintain an agreed level of information security in supplier relationships.
ISO 27002 Implementation Guidance
The organization should establish and communicate a topic-specific policy on supplier relationships to all relevant interested parties. The organization should identify and implement processes and procedures to address security risks associated with the use of products and services provided by suppliers. This should also apply to the organization’s use of resources of cloud service providers. These processes and procedures should include those to be implemented by the organization, as well as those the organization requires the supplier to implement for the commencement of use of a supplier’s products or services or for the termination of use of a supplier’s products and services, such as:
a) identifying and documenting the types of suppliers (e.g. ICT services, logistics, utilities, financial services, ICT infrastructure components) which can affect the confidentiality, integrity and availability of the organization’s information;
b) establishing how to evaluate and select suppliers according to the sensitivity of information, products and services (e.g. with market analysis, customer references, review of documents, on- site assessments, certifications);
c) evaluating and selecting supplier’s products or services that have adequate information security controls and reviewing them; in particular, accuracy and completeness of controls implemented by the supplier that ensure integrity of the supplier’s information and information processing and hence the organization’s information security;
d) defining the organization’s information, ICT services and the physical infrastructure that suppliers can access, monitor, control or use;
e) defining the types of ICT infrastructure components and services provided by suppliers which can affect the confidentiality, integrity and availability of the organization’s information;
f) assessing and managing the information security risks associated with:
- the suppliers’ use of the organization’s information and other associated assets, including risks originating from potential malicious supplier personnel;
- malfunctioning or vulnerabilities of the products (including software components and sub- components used in these products) or services provided by the suppliers;
g) monitoring compliance with established information security requirements for each type of supplier and type of access, including third-party review and product validation;
h) mitigating non-compliance of a supplier, whether this was detected through monitoring or by other means;
i) handling incidents and contingencies associated with supplier products and services including responsibilities of both the organization and suppliers;
j) resilience and, if necessary, recovery and contingency measures to ensure the availability of the supplier’s information and information processing and hence the availability of the organization’s information;
k) awareness and training for the organization’s personnel interacting with supplier personnel regarding appropriate rules of engagement, topic-specific policies, processes and procedures and behavior based on the type of supplier and the level of supplier access to the organization’s systems and information;
l) managing the necessary transfer of information, other associated assets and anything else that needs to be changed and ensuring that information security is maintained throughout the transfer period;
m) requirements to ensure a secure termination of the supplier relationship, including:
- de-provisioning of access rights;
- information handling;
- determining ownership of intellectual property developed during the engagement;
- information portability in case of change of supplier or in sourcing;
- records management;
- return of assets;
- secure disposal of information and other associated assets;
- ongoing confidentiality requirements;
n) level of personnel security and physical security expected from supplier’s personnel and facilities.
The procedures for continuing information processing in the event that the supplier becomes unable to supply its products or services (e.g. because of an incident, because the supplier is no longer in business, or no longer provides some components due to technology advancements) should be considered to avoid any delay in arranging replacement products or services (e.g. identifying an alternative supplier in advance or always using alternative suppliers).
Other information
In cases where it is not possible for an organization to place requirements on a supplier, the organization should:
a) consider the guidance given in this control in making decisions about choosing a supplier and its product or service;
b) implement compensating controls as necessary based on a risk assessment.
Information can be put at risk by suppliers with inadequate information security management. Controls should be determined and applied to manage the supplier’s access to information and other associated assets. For example, if there is a special need for confidentiality of the information, non-disclosure agreements or cryptographic techniques can be used. Another example is personal data protection risks when the supplier agreement involves transfer of, or access to, information across borders. The organization needs to be aware that the legal or contractual responsibility for protecting information remains with the organization. Risks can also be caused by inadequate controls of ICT infrastructure components or services provided by suppliers. Malfunctioning or vulnerable components or services can cause information security breaches in the organization or to another entity (e.g. they can cause malware infection, attacks or other harm on entities other than the organization). See ISO 27036-2 for more detail.
Suppliers are used for two main reasons; you want them to do work that you have chosen not to do internally yourself, or you can’t easily do the work as well or as cost-effectively as the suppliers. The organization should identify and require information security controls that specifically address external parties (contractors, service providers) gaining authorized access to the organization’s information in the policy. The controls should also specify processes and procedures that should be followed, either when third-party contractors work within the organization or when there are service provider/hosting arrangements. Suppliers should be managed throughout the life cycle of a relationship with them–from initially reviewing their contracts and security methods to monitoring their SLAs and performance agreements once they are engaged to perform services and/or provide solutions. Access control, especially for sensitive information must be accurately defined, managed, and monitored. Awareness training for both the organization’s staff and supplier staff that handle or interact with this data must be addressed. Finally, service transitions should be documented and include procedures for secure data transfers and availability as the relationship changes during the lifecycle. Many (but not all) supplier relationships will involve cloud computing services and processes, which should be carefully considered as a part of Supplier Relationship Management. One essential control that the organization can implement is the development of a checklist to assess contractual cloud service providers. If regulated and/or sensitive data is being put out in the cloud, then the organization should consider obtaining formal written assurances from cloud service providers, including the regular submission of independent assessments and/or audits. The organization should always consider asking these cloud service providers for a copy of a report which focuses strictly on reviewing controls related to the confidentiality, integrity, and availability of information and systems. The organization has seen a move from consumer-level adoption of cloud services to enterprise deployment of full-scale cloud storage and collaboration platforms. Enterprise services can now offer the convenience of cloud storage and collaboration services with single sign-on through the organization’s identity management system, integration with other services, and contractual assurances of privacy, security, and uptime. The deployment of enterprise cloud storage and collaboration services has introduced new opportunities for how documents are conceived, completed, and submitted. This technology provides the opportunity for employees to bring their work wherever they go, access it instantly, and collaborate with colleagues in a private and secure digital environment.
The supplier should be agreed with the and documented information security requirements relates to the the risk of access by suppliers to organisation assets. If any organisation wants to provide access to its supplier, the risk assessment should be done. The organisation must identify and involve required security information controls. These could include the following:
- Identification and reporting of supplier forms, e.g. IT services, financial services etc. which are accessible to the organisation;
- Controls over the accuracy and completeness of information transmitted by either party;
- Resilience and, if necessary, recovery and contingency plans to ensure the availability by all parties of information or processing;
- Training in awareness of applicable policies, processes and procedures for the organization staff involved in acquisitions;
- Training in awareness of how the organization’s staff interacts with supplier staff on appropriate rules of engagement and behavior based on provider type and level of supplier access to the system and information of the organization;
- A legal contract must be signed by both parties to maintain the integrity of the relationship.
There are many important things to consider in the approach to supplier selection and management but one size does not fit all and some suppliers will be more important than others. As such your controls and policies should reflect that too and segmentation of the supply chain is sensible; we advocate four categories of the supplier based on the value and risk in the relationship. These range from those who are business-critical to other vendors who have no material impact on your organization. Some suppliers are also more powerful than their customers (imagine telling Amazon what to do if you are using their AWS services for hosting) so it’s pointless having controls in place that the suppliers will not adhere to. Therefore reliance on their standard policies, controls, and agreements is more likely – meaning the supplier selection and risk management becomes even more important. In order to take a more forward approach to information security in the supply chain with the more strategic (high value / higher risk) suppliers, organizations should also avoid binary ‘comply or die’ risk transferring practices e.g. awful contracts preventing good collaboration. Instead, we recommend they develop more close working relationships with those suppliers where thigh value information and assets are at risk, or they are adding to your information assets in some (positive) way. This is likely to lead to improved working relationships, and therefore deliver better business results too. A good policy describes the supplier segmentation, selection, management, exit, how information assets around suppliers are controlled in order to mitigate the associated risks, yet still enable the business goals and objectives to be achieved. Smart organizations will wrap their information security policy for suppliers into a broader relationship framework and avoid just concentrating on security per se, looking to the other aspects as well. An organization may want suppliers to access and contribute to certain high-value information assets (e.g. software code development, accounting payroll information). They would therefore need to have clear agreements of exactly what access they are allowing them, so they can control the security around it. This is especially important with more and more information management, processing, and technology services being outsourced. That means having a place to show management of the relationship is happening; contracts, contacts, incidents, relationship activity, and risk management, etc. Where the supplier is also intimately involved in the organization, but may not have its own certified ISMS, then ensuring the supplier staff is educated and aware of security, trained on your policies, etc. is also worth demonstrating compliance around.
Compliance with this Control involves adhering to what’s known as a ‘topic-specific’ approach to information security in supplier relationships. Topic-specific approaches encourage organisations to create supplier-related policies that are tailored towards individual business functions, rather than adhering to a blanket supplier management policy that applies to any and all third party relationships across an organisation’s commercial operation. The organisation must implement policies and procedures that not only govern the organisation’s use of supplier resources and cloud platforms, but also form the basis of how they expect their suppliers to conduct themselves prior to and throughout the term of the commercial relationship. It can be viewed as the essential qualifying document that dictates how information security governance is handled over the course of a supplier contract. It contains following points to be adhered to:
1) Maintain an accurate record of supplier types (e.g. financial services, ICT hardware, telephony) that have the potential to affect information security integrity. Maintain a list of all suppliers categorizing them according to their business function and add categories to said supplier types as and when required.
2) Evaluate your suppliers,based on the level of risk inherent for their supplier type such as industry references, financial statements, onsite assessments, sector-specific certifications such as Microsoft Partnerships . Different supplier types will require different due diligence checks. Consider evaluation methods on a supplier-by-supplier basis
3) Identify suppliers that have pre-existing information security controls in place based on their relevant information security governance procedures.
4) Identify and define the specific areas of organisation’s ICT infrastructure that suppliers will be able to either access, monitor or make use of themselves. It’s important to establish from the outset precisely how suppliers are going to interact with ICT assets be it physical or virtual and what levels of access they’re granted in accordance with their contractual obligations.
5) Define how the suppliers’ ICT infrastructure can impact organizations or its customers data, and that of your customers. Supplier ICT assets need to be reviewed in accordance with their potential to affect uptime and integrity throughout the organisation.
6) Identify and manage the various information security risks attached to:
- Supplier use of confidential information or protected assets (e.g. limited to malicious use and/or criminal intent).
- Faulty supplier hardware or malfunctioning software platform associated with on-premise or cloud based services.
Organisations must lookout for information security risks associated with catastrophic events, such as nefarious supplier-side user activity or major unforeseen software incidents, and their impact on organisational information security.
7) Monitor information security compliance on supplier type based on the information security implications inherent within each supplier type, and adjust their monitoring activity to accommodate varying levels of risk.
8) Limit the amount of damage and/or disruption caused through non-compliance.Supplier activity should be monitored in an appropriate manner, and to varying degrees, in accordance with its risk level. Where non-compliance is discovered, either proactively or reactively, immediate action should be taken.
9) Maintain a robust incident management procedure that addresses a reasonable amount of contingencies. Organisations should understand precisely how to react when faced with a broad range of events relating to the supply of third party products and services, and outline remedial actions that include both the supplier and the organisation.
10) Enact measures that cater to the availability and processing of the supplier’s information, wherever it’s used, thereby ensuring the integrity of the organisation’s own information. Steps should be taken to ensure that supplier systems and data are handled in a way that doesn’t compromise on the availability and security of the organisation’s own systems and information.
11) Draft a thorough training plan that offers guidance on how staff should interact with supplier personnel and information on a supplier-by-supplier basis, or on a type-by-type basis. Training should cover the full spectrum of governance between an organisation and its suppliers, including engagement, granular risk management controls and topic-specific procedures.
12) Understand and manage the level of risk inherent when transferring information and physical and virtual assets between the organisation and their suppliers. Organisations should map out each stage of the transfer process and educate staff as to the risks associated with moving assets and information from one source to another.
13) Ensure that supplier relationships are terminated with information security in mind, including removing access rights and the ability to access organisational information. Organization should have a clear understanding of how to revoke a supplier’s access to information, including:
- Granular analysis of any associated domain and/or cloud-based accounts.
- Distribution of intellectual property.
- The porting of information between suppliers, or back to your organisation.
- Records management.
- Returning assets to their original owner.
- Adequate disposal of physical and virtual assets, including information.
- Adherence to any contractual requirements, including confidentiality clauses and/or external agreements.
14) Outline precisely how you expect the supplier to conduct themselves regarding physical and virtual security measures. Organisations should set clear expectations from the outset of any commercial relationship, that specify how supplier-side personnel are expected to conduct themselves when interacting with your staff or any relevant assets.