ISO 27001:2022 A 5.21 Managing information security in the ICT supply chain

Audio version of the article

Information and Communications Technology (ICT) is integral for the daily operations and functionality of the organization. From cell phones to cloud storage to satellite connectivity, the ICT supply chain encompasses the entire life cycle of hardware, software, and services and a diverse array of entities—including third-party vendors, suppliers, service providers, and end users. However, the globally-distributed and interconnected nature of ICT also means that compromise of vulnerabilities in the supply chain can have cascading impacts on Organization Information security. Vulnerabilities in supply chains either developed intentionally for malicious intent or unintentionally through poor security practices can enable data and intellectual property theft, loss of confidence in the integrity of the system, or exploitation to cause system or network failure. Compounding the risk associated with supply chains is that vulnerabilities may be introduced during any phase of the ICT life cycle: design, development and production, distribution, acquisition, deployment, maintenance, and disposal. These vulnerabilities include malicious software and hardware; counterfeit components; and poor product designs, manufacturing processes, and maintenance procedures.

Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Control

Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Purpose

To maintain an agreed level of information security in supplier relationships.

Guidance

The following topics should be considered to address information security within ICT supply chain security in addition to the general information security requirements for supplier relationships:
a) defining information security requirements to apply to ICT product or service acquisition;
b) requiring that ICT services suppliers propagate the organization’s security requirements throughout the supply chain if they sub-contract for parts of the ICT service provided to the organization;
c) requiring that ICT products suppliers propagate appropriate security practices throughout the supply chain if these products include components purchased or acquired from other suppliers or other entities (e.g. sub-contracted software developers and hardware component providers);
d) requesting that ICT products suppliers provide information describing the software components used in products;
e) requesting that ICT products suppliers provide information describing the implemented security functions of their product and the configuration required for its secure operation;
f) implementing a monitoring process and acceptable methods for validating that delivered ICT products and services comply with stated security requirements. Examples of such supplier review methods can include penetration testing and proof or validation of third-party attestations for the supplier’s information security operations;
g) implementing a process for identifying and documenting product or service components that are critical for maintaining functionality and therefore require increased attention, scrutiny and further follow up required when built outside of the organization especially if the supplier outsources aspects of product or service components to other suppliers;
h) obtaining assurance that critical components and their origin can be traced throughout the supply chain;
i) obtaining assurance that the delivered ICT products are functioning as expected without any unexpected or unwanted features;
j) implementing processes to ensure that components from suppliers are genuine and unaltered from their specification. Example measures include anti-tamper labels, cryptographic hash verification or digital signatures. Monitoring for out of specification performance can be an indicator of tampering or counterfeits. Prevention and detection of tampering should be implemented during multiple stages in the system development life cycle, including design, development, integration, operations and maintenance;
k) obtaining assurance that ICT products achieve required security levels, for example, through formal certification or an evaluation scheme such as the Common Criteria Recognition Arrangement;
l) defining rules for sharing of information regarding the supply chain and any potential issues and compromises among the organization and suppliers;
m) implementing specific processes for managing ICT component life cycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements. Identification of an alternative supplier and the process to transfer software and competence to the alternative supplier should be considered.

Other information

The specific ICT supply chain risk management practices are built on top of general information security, quality, project management and system engineering practices but do not replace them. Organizations are advised to work with suppliers to understand the ICT supply chain and any matters that have an important effect on the products and services being provided. The organization can influence ICT supply chain information security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the ICT supply chain. ICT should be acquired from reputable sources. The reliability of software and hardware is a matter of quality control. While it is generally not possible for an organization to inspect the quality control systems of its vendors, it can make reliable judgments based on the reputation of the vendor. ICT supply chain as addressed here includes cloud services. Examples of ICT supply chains are:

  1. cloud services provisioning, where the cloud service provider relies on the software developers, telecommunication service providers, hardware providers;
  2. IoT, where the service involves the device manufacturers, the cloud service providers (e.g. the IoT platform operators), the developers for mobile and web applications, the vendor of software libraries;
  3. hosting services, where the provider relies on external service desks including first, second and third support levels.

See ISO 27036-3 for more details including risk assessment guidance. Software identification (SWID) tags can also help to achieve better information security in the supply chain, by providing information about software provenance. See ISO 19770-2 for more details.

This control is focused on the Information and communication technology supply chain that may need something in addition or instead of the standard approach. ISO advocates numerous areas for implementation and whilst these are all good, some pragmatism is needed as well. The organization should again recognize its size compared to some of the very large providers that it will sometimes be working with e.g. data centers & hosting services, banks, etc., therefore potentially limiting its ability to influence practices further into the supply chain. The organization should consider carefully what risks there may be based upon the type of information and communication technology services that are being provided. For example, if the supplier is a provider of infrastructure critical services, and has access to sensitive information e.g. source code for the flagship software service, it should ensure there is greater protection than if the supplier is simply exposed to publicly available information e.g. a simple website. Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chains. This section is largely physical in nature and defines additional points to include in supplier agreements, specifically related to their use of technology, both hardware, and software. There should be a process to identify a product or service that is a critical capability and require increased scrutiny. This is especially true for components built outside the supplier organization. The ability to trace origins and compliance with security requirements is integral in ensuring both integrity and availability. Finally, the organization should address the risks of a component or service becoming unavailable or no longer supported.Supplier agreements include requirements to reduce the security risks connected with the IT services and the product supply chain. This means that if there’s a possibility of a data breach, the supplier and contractor will have to get in touch. Suppliers are required to describe how they dealt with minor risks, as well as how they assured the risk was eradicated, even if it is a small risk. Controlling supplier relations effectively requires using crucial services to track the supply chain’s history and its point of origin.

Given the expansion of cross-platform on-premise and cloud services over the last decade, it deals with the supply of both hardware and software-related components and services (both on-premise and cloud-based), and rarely draws a distinction between the two. As well as the relationship between the supplier and the organisation, several controls also deal with a supplier’s obligations when sub-contracting elements of the supply chain to third-party organisations. Organisations should draft a clear set of information security standards that apply to their individual needs, to set clear expectations on how suppliers should conduct themselves when delivering ICT products and services. If the ICT supplier sub-contracts any element of the supply chain, the supplier should take measures to ensure that contractors and their personnel are fully conversant with the organisation’s unique information security standards. If the need arises to acquire components (physical or virtual) purchased from a third party, the supplier should disseminate the organisation’s security requirements to any vendors or suppliers they themselves use. Suppliers should be asked to provide information on the nature and function of the software components they use to deliver a service to the organisation. Organisations should identify the underlying security functions of any product or service supplied, and how to operate said product or service in a way that doesn’t compromise on information security. Organisations shouldn’t take risk levels for granted, and draft procedures that ensure any products or services that a supplier delivers are of a secure nature and compliant with accepted industry standards. Methods may include certification checks, internal testing and supporting compliance documentation. When receiving a product or service, organisations should adhere to a process of first identifying then recording any elements that are deemed to be essential to maintaining core functionality – especially if those components have originated from a sub-contractor/outsourced agreement. Suppliers should be able to provide concrete assurances that “critical components” benefit from a thorough audit log that traces their movement throughout the ICT supply chain, from creation through to delivery. As ICT products and services are delivered, organisations should seek categorical assurance that said products and services are not only operating within scope, but do not contain any additional features which may present a collateral security risk. Component specifications are key to ensuring that an organisation understands the hardware and software components it’s introducing onto its network. Suppliers should consider anti-tampering measures throughout the development life cycle, and organisations should require stipulations which verify components as legitimate upon delivery. Assurances should be sought to confirm that ICT products are in alignment with industry-standard and/or sector-specific security requirements, as relevant to each product. Common methods for achieving this include achieving a minimum level of formal security certification, or adhering to a set of internationally recognized information standards (such as the Common Criteria Recognition Arrangement) per product. Organisations should take steps to ensure that suppliers are aware of their obligations when sharing information and/or data concerning the mutual supply chain operation, including acknowledging any potential conflicts or problems that may arise between both parties, and how to deal with them at source. Organisations need to draft procedures that manage risk when operating with unavailable, unsupported or legacy components, wherever they reside. Where components have fallen into one of these categories, organisations should be able to adapt accordingly and identify alternatives.

Protecting organization’s information in a digitally-connected world requires understanding not only organization’s immediate supply chain, but also the extended supply chains of third-party vendors, service providers, and customers. These essential steps will assist your organization in managing supply chain risks.

  1. Identify the people: Build a team of representatives from various roles and functions of the company (e.g., cyber security, information technology, physical security, procurement/acquisition, legal, logistics, marketing, and product development). Ensure personnel at all levels are well-trained in the security procedures of their role or function.
  2. Manage the security and compliance: Document the set of policies and procedures that address security, integrity, resilience, and quality. Ensure they are based on industry standards and best practices
  3. Assess the components: Build a list of ICT components (e.g., hardware, software, and services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
  4. Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. In today’s world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
  5. Verify assurance of third-parties: Verify that your suppliers maintain an adequate security culture to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers.
  6. Evaluate risk associated with ITC supply: Determine the frequency with which to review your risk, incorporate feedback, and make changes to your risk assessment. This may also include auditing suppliers against practices and protocols established by your organization

Leave a Reply