ISO 27001:2022 A 5.20 Addressing information security within supplier agreements

Audio version of the article

Advertisements

Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements. This control governs how an organisation forms a contractual relationship with a supplier, based on their security requirements and the type of suppliers they deal with.Supplier agreements should be defined and recorded so that the organization and the supplier do not misinterpret the obligations of the two parties to meet the applicable information security requirements. This clause explains about defining and accepting the obligations as well as record them securely under a relevant documented policy. This policy may consist of all the roles and responsibility and limit of accessing the information security of the supplier. It also gives exclusive right to the organisation to audit the supplier and its sub contractors.In the ISO 27001 supplier register we record whether we have a contract that covers the products or services that we are buying. To implement this we would also have a local copy of the contract that we could get access to and we would check that the contract the contract includes information security requirements. We always want to have an in date contract that meets the requirements of this clause before we go for ISO 27001 certification audit.

Advertisements

Control

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

Purpose

To maintain an agreed level of information security in supplier relationships.

ISO 27002 Implementation Guidance

Supplier agreements should be established and documented to ensure that there is clear understanding between the organization and the supplier regarding both parties’ obligations to fulfill relevant information security requirements. The following terms can be considered for inclusion in the agreements in order to satisfy the identified information security requirements:

  1. description of the information to be provided or accessed and methods of providing or accessing the information.
  2. classification of information according to the organization’s classification scheme.
  3. mapping between the organization’s own classification scheme and the classification scheme of the supplier.
  4. legal, statutory, regulatory and contractual requirements, including data protection, handling of personally identifiable information (PII), intellectual property rights and copyright and a description of how it will be ensured that they are met.
  5. obligation of each contractual party to implement an agreed set of controls, including access control, performance review, monitoring, reporting and auditing, and the supplier’s obligations to comply with the organization’s information security requirements.
  6. rules of acceptable use of information and other associated assets, including unacceptable use if necessary.
  7. procedures or conditions for authorization and removal of the authorization for the use of the organization’s information and other associated assets by supplier personnel (e.g. through an explicit list of supplier personnel authorized to use the organization’s information and other associated assets).
  8. information security requirements regarding the supplier’s ICT infrastructure; in particular, minimum information security requirements for each type of information and type of access to serve as the basis for individual supplier agreements based on the organization’s business needs and risk criteria.
  9. indemnities and remediation for failure of contractor to meet requirements.
  10. incident management requirements and procedures (especially notification and collaboration during incident remediation).
  11. training and awareness requirements for specific procedures and information security requirements (e.g. for incident response, authorization procedures).
  12. relevant provisions for sub-contracting, including the controls that need to be implemented, such as agreement on the use of sub-suppliers (e.g. requiring to have them under the same obligations of the supplier, requiring to have a list of sub-suppliers and notification before any change).
  13. relevant contacts, including a contact person for information security issues.
  14. any screening requirements, where legally permissible, for the supplier’s personnel, including responsibilities for conducting the screening and notification procedures if screening has not been completed or if the results give cause for doubt or concern.
  15. the evidence and assurance mechanisms of third-party attestations for relevant information security requirements related to the supplier processes and an independent report on effectiveness of controls.
  16. right to audit the supplier processes and controls related to the agreement.
  17. supplier’s obligation to periodically deliver a report on the effectiveness of controls and agreement on timely correction of relevant issues raised in the report.
  18. defect resolution and conflict resolution processes.
  19. providing backup aligned with the organization’s needs (in terms of frequency and type and storage location).
  20. ensuring the availability of an alternate facility (i.e. disaster recovery site) not subject to the same threats as the primary facility and considerations for fall back controls (alternate controls) in the event primary controls fail.
  21. having a change management process that ensures advance notification to the organization and the possibility for the organization of not accepting changes.
  22. physical security controls commensurate with the information classification.
  23. information transfer controls to protect the information during physical transfer or logical transmission.
  24. termination clauses upon conclusion of the agreement including records management, return of assets, secure disposal of information and other associated assets, and any ongoing confidentiality obligations.
  25. provision of a method of securely destroying the organization’s information stored by the supplier as soon as it is no longer required.
  26. ensuring, at the end of the contract, handover support to another supplier or to the organization itself.

The organization should establish and maintain a register of agreements with external parties (e.g. contracts, memorandum of understanding, information-sharing agreements) to keep track of where their information is going. The organization should also regularly review, validate and update their agreements with external parties to ensure they are still required and fit for purpose with relevant information security clauses.

Other information

The agreements can vary considerably for different organizations and among the different types of suppliers. Therefore, care should be taken to include all relevant requirements for addressing information security risks.

Advertisements

All relevant information security requirements must be in place with each supplier that has access to or can impact the organisation’s information or assets that process it. Again this should not be a one size fits all – take a risk based approach around the different types of suppliers involved and work they do. Working with suppliers that already meet the majority of your organisations information security needs for the services they provide to you and have a good track record of addressing information security concerns responsibly is a very good idea – as it will make all of these processes much easier. In simple terms, look for suppliers that already have achieved an independent ISO 27001 certification or equivalent themselves. It is also important to ensure that the suppliers are being kept informed and engaged with any changes to the ISMS or specifically engaged around the parts that affect their services. Your auditor will want to see this evidenced – so, by keeping a record of this in your supplier on-boarding projects or annual reviews it will be easy to do so. Things to include in the supply scope and agreements generally include: the work and its scope; information at risk and classification; legal and regulatory requirements ; reporting and reviews; non disclosure; IPR; incident management; specific policies to comply with if important to the agreement; obligations on subcontractors; screening on staff etc. A good standard contract will deal with these points but as above, sometimes it might not be required, and could be way over the top for the type of supply, or it might not be possible to force a supplier to follow your idea of good practice. Be pragmatic and risk centred in the approach.An organization may want suppliers to access and contribute to certain high-value information assets (e.g. software code development, accounting payroll information). They would therefore need to have clear agreements of exactly what access they are allowing them, so they can control the security around it. This is especially important with more and more information management, processing, and technology services being outsourced.  That means having a place to show management of the relationship is happening; contracts, contacts, incidents, relationship activity, and risk management, etc. Where the supplier is also intimately involved in the organization, but may not have its own certified ISMS, then ensuring the supplier staff is educated and aware of security, trained on your policies, etc. is also worth demonstrating compliance around. Working with suppliers that already meet the majority of your organization’s information security needs for the services they provide to you and have a good track record of addressing information security concerns responsibly is a very good idea – as it will make all of these processes much easier. In simple terms, look for suppliers that already have achieved an independent ISO 27001 certification or equivalent themselves.  It is also important to ensure that the suppliers are being kept informed and engaged with any changes to the ISMS or specifically engaged around the parts that affect their services. Your auditor will want to see this evidenced – so, by keeping a record of this in your supplier on-boarding projects or annual reviews it will be easy to do so. Things to include in the supply scope and agreements generally include the work and its scope; information at risk and classification; legal and regulatory requirements e.g. adherence to GDPR and or other applicable legislation; reporting and reviews; non-disclosure; IPR; incident management; specific policies to comply with if important to the agreement; obligations on subcontractors; screening on staff, etc.  A good standard contract will deal with these points but as above, sometimes it might not be required and could be way over the top for the type of supply, or it might not be possible to force a supplier to follow your idea of good practice.  Be pragmatic and risk-centered in the approach.

Supplier agreements should be established and documented to ensure there is no misunderstanding regarding both parties’ obligations to fulfill relevant security, legal, and/or regulatory requirements. Organizations are increasingly using outsourced services. While sensitive data processes and services might be outsourced, responsibility for the associated risk remains with the organization. Supplier agreements should include (as appropriate) clear and concise information regarding:

  • The types of data being accessed and methods of access
  • Definitions of data ownership and disposition throughout the service lifecycle
  • The organization’s data classification requirements as it applies to the supplier
  • Definition of acceptable uses for the data handled by the supplier
  • Establishment of security incident notification requirements
  • Processes and procedures for monitoring compliance with the contract requirements
  • A “right to audit” the supplier or regular access to external assessments
  • Conflict and defect resolution
  • The required screening, training or other obligations of the suppliers’ staff
  • The use of subcontractors to provide services and the extension of security requirements to them.
Advertisements

It is important to address the risk early in the procurement phase of the relationship with external parties so that roles, responsibilities, and expectations can be clearly defined in agreements or contracts. This Control explicitly states that both parties should exit the process with a “clear understanding” of their information security obligations to one another. A clear description should be provided detailing the information that needs to be accessed in any way, and how that information is going to be accessed. The organisation should classify the information to be accessed in accordance with its published classification scheme . Adequate consideration should be given to the supplier-side classification scheme, and how that relates to the organisation’s classification of information. Both parties’ rights should be categorized into four main areas – legal, statutory, regulatory and contractual. Within these four areas, various obligations should be clearly outlined, as is standard in commercial agreements, including accessing PII, intellectual property rights and copyright stipulations. The agreement should also cover how each of these key areas will be addressed in turn. Each party should be obligated to enact a series of concurrent controls that monitor, assess and manage information security risk levels such as access control policies, contractual reviews, systems monitoring, reporting and periodic auditing. In addition, the agreement should clearly outline the need for supplier personnel to adhere to an organisation’s information security standards. There should be a clear understanding of what constitutes both acceptable and unacceptable use of information, and physical and virtual assets from either party. Procedures should be put in place that deal with the levels of authorization required for supplier-side personnel to access or view an organisation’s information e.g. authorized user lists, supplier-side audits, server access controls. Information security should be considered alongside the supplier’s own ICT infrastructure, and how that relates to the type of information that the organisation has provided access to, the risk criteria and the organisation’s base set of business requirements. Consideration should be given to what courses of action the organisation is able to take in the event of a breach of contract on the part of the supplier, or failure to comply with individual stipulations. The agreement should clearly outline a mutual Incident Management procedure that clearly stipulates what needs to happen when problems arise, particularly concerning how the incident is communicated between both parties. Personnel from both parties should be given adequate awareness training on key areas of the agreement, specifically concerning key risk areas such as Incident Management and the provision of access to information. Adequate attention should be given to the use of subcontractors. If the supplier is permitted to use subcontractors, the organisations should take steps to ensure that any such individuals or companies are aligned with the same set of information security requirements as the supplier. Where it’s legally possible and operationally relevant, organisations should consider how supplier personnel are screened prior to interacting with their information, and how screening is recorded and reported to the organisation, including non-screened personnel and areas for concern. Organisations should stipulate the need for third-party attestations that verify the supplier’s ability to fulfill organisational information security requirements, including independent reports and third-party audits. Organisations should have the contractual right to assess and audit a supplier’s procedures. Suppliers should have an obligation to deliver reports (at varying intervals) that cover the effectiveness of their own processes and procedures, and how they intend to address any issues raised in such a report. The agreement should take steps to ensure the timely and thorough resolution of any defects or conflicts that take place during the course of the relationship. Where relevant, the supplier should operate with an robust BUDR policy, in line with the organisation’s needs, that covers off three main considerations:

  • Backup type (full server, file and folder etc, incremental etc.)
  • Backup frequency (daily, weekly etc.)
  • Backup location and source media (onsite, offsite)

Data resilience should be achieved by operating with a disaster recovery location that is separate from the supplier’s main ICT site, and is not subject to the same level of risk. The supplier should operate with a comprehensive change management policy that gives advance notification to the organisation of any changes that may affect information security, and provide the organisation with the ability to reject such changes. Physical security controls (building access, visitor access, room access, desk security) should be enacted that are relevant to the kind of information they are permitted to access. When the need arises to transfer information between assets, sites, servers or storage locations, the supplier should ensure that data and assets are protected from loss, damage or corruption throughout the process. The agreement should outline a comprehensive list of actions to be taken by either party in the event of termination , including but not limited to:

  • Asset disposal and/or relocation
  • Information deletion
  • Return of IP
  • Removal of access rights
  • Ongoing confidentiality obligations

The supplier should outline precisely how it intends to destroy/permanently delete the organisation’s information the moment it is no longer required i.e. in the event of a termination. If, at the end of a contract, the need arises to handover support and/or services to another provider not listed on the agreement, steps are taken to ensure that the process results in zero business interruption. To ensure that the benefits of outsourcing operations outweigh the risks of including providers in the scenario, contracts should be written properly, and ISO 27001 requires an organization to consider security clauses in contracts. Some examples of security clauses are:

  • Right to audit: clause ensuring the organization has the right to audit and test the security controls periodically, or upon significant changes to the relationship.
  • Notification about security breaches: clause requiring the provider to inform the organization in a timely manner regarding any security breaches that may impact the organization’s business. Generally, this clause is related to data breach notification laws that affect either the organization or the provider, or both.
  • Adherence to security practices: clause requiring the provider to adhere to the organization’s security practices, and to communicate any situations where this adherence is not achievable, helping to prevent security gaps or conflicts that could impair security performance.
  • Response time to vulnerabilities: clause requiring the provider to provide, in a timely manner, proper treatment for known vulnerabilities that may impact the organization’s business.
  • Demonstration of compliance: clause requiring the provider to provide independent evidence that its operations and controls comply with contractual requirements. This can be achieved, for example, by a third-party audit agreed upon by the provider and the organization.
  • Management of supplier’s supply chain risks: clause requiring the provider to ensure, within its own supply chain, the fulfillment of the same security clauses applied to the provider.
  • Communication of changes: clause requiring the provider to inform the organization in a timely manner regarding changes in its environment that may impact the organization’s business.
  • Maintenance of service levels: clause requiring the provider to inform the organization regarding its plans to ensure service levels in normal conditions and during disruptive events, on either the organization’s or the provider’s premises.

You should note this is not a definitive list and other clauses may arise from risk assessments, and that all contractual clauses should be reviewed by legal personnel to ensure proper wording and application. To define which clauses to apply, you should focus on each supplier’s risks, by means of surveys, questionnaires, and gathering of controls documentation during supplier selection. To help you manage information on multiple suppliers, you can use criteria like:

  • categorizing suppliers based on what they do for you
  • prioritizing suppliers based on information you share with them, or information they may have access to.
Advertisements

Leave a Reply