How to perform an ISO 27001 second-party audit of an outsourced supplier

To focus on their core business, many organizations rely on outsourced suppliers to perform support processes. While this approach may bring benefits like costs savings, and access to expert knowledge and state-of-the-art technology, it can also involve risks related to loss of control over how these processes are performed and managed.

To minimize such risks, organizations should adopt practices to ensure that the processes and deliverables of outsourced suppliers are exactly what they are paying for.

This article will present some solutions that organizations should consider when performing audits of outsourced suppliers that could impact their information security. These suggestions are based on controls recommended by ISO 27001, the leading international standard for information security management.

Can organizations audit their suppliers?

Yes. Basically, there are three types of audits that can be performed, which depend on the relationship between the auditor and the auditee: first-, second-, and third-party audits. For the purpose of this article, only second-party audits will be covered. For information about first- and third-party audits, please see First-, Second- & Third-Party Audits, what are the differences?

Second-party audits involve two independent organizations that have a relationship established between them. The most common scenario is a customer auditing a supplier, but you also can have a regulatory body auditing an organization that operates in an industry it oversees.

As a customer, you can either use your own personnel to perform a second-party audit on your supplier, or you can hire an external auditor/organization to perform the audit on your behalf.


Second-party audit process

First of all, the right of a customer to audit its supplier has to be clearly established in the service agreement or contract with the supplier. This agreement/contract is the main document to define:

  • the authority of the customer’s organization, or of those performing the audit on its behalf, to audit the supplier’s processes
  • the scope of the audit and the security controls that the supplier will have to implement, including those it will have to enforce on its own suppliers

ISO 27001 has specific security controls requiring these issues to be established, and the more specific and clear they are, the easier the audit will become. For more information, see 6-step process for handling supplier security according to ISO 27001 and Which security clauses to use for supplier agreements?

The good news is that the main steps for a second-party audit are practically the same as those required for an internal audit:

  1. Defining the audit program – the establishment of an agreed schedule between customer and supplier of when the audit, or audits, will happen.
  2. Planning individual audits – the definition of which processes will be audited and how (based on the service agreement/contract), including the review of previous audits and preparation of checklists.
  3. Conducting the audit – the auditor goes to where the processes are performed to gather information and evaluate whether the processes are functioning as defined in the service agreement or contract established with the supplier, and whether they are effective in producing the required results.
  4. Reporting the audit results – the communication to the interested parties (client organization and supplier) about what is working properly, which points out any corrective actions necessary to address non-conformities, as well as any issues to be evaluated as opportunities for improvement.
  5. Follow up on actions taken – the verification of the effectiveness of the treatment of non-conformities (if they have, in fact, eliminated the problems found), as well as of any implemented improvements.

So, if your organization already has an audit process in place, or if your organization is thinking about implementing an audit process, you can apply this same process to your suppliers.

Tips on how to audit suppliers

Considering ISO 27001 controls from section A.15, and the most common security clauses applicable to service agreements/contracts, on the supplier’s premises, an auditor should look for, at a minimum, evidence regarding:

  • Controls enforced by the supplier on its own supply chain.
  • Awareness and training of the supplier’s personnel about information security.
  • Internal reports of controls’ performance, internal audits, and capacity levels, and their respective reviews, including any required action to be performed, and the results achieved by the actions already implemented.
  • Reports of security incidents (which should include what has happened, impacts, and actions taken to prevent recurrence).
  • Records of changes performed, as well as those that are planned, considering changes in agreements/contracts, supplier’s infrastructure, and provided services.

Of course, as mentioned previously, the auditor must have the relevant service agreements/contracts on hand, so he can identify additional evidences that may be applicable to your specific scenario (e.g., tests of business continuity plans).

Your providers’ security should be as good as your own

The motto “security is only as strong as its weakest link” applies well to the customer-supplier relationship, making auditing practices essential to ensuring that operations are being performed as agreed and expected results are being achieved.

By considering the controls and recommendations of ISO 27001 regarding information security in suppliers’ relationships, an organization can ensure not only that its suppliers are handling its information properly, but that both customer and supplier have good visibility of all the processes and can act in a timely manner to prevent information compromise.

To learn more about auditing techniques, see this free online training ISO 27001 Lead Auditor Course.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.