Show me desktop version
CALL US +1 (646) 759 9933

The ISO 27001 & ISO 22301 Blog

6-step process for handling supplier security according to ISO 27001

Since more and more data is being processed and stored with third parties, the protection of such data is becoming an increasingly significant issue for information security professionals – it’s no wonder that the new 2013 revision of ISO 27001 has dedicated one whole section of Annex A to this issue.

But how is it possible to protect the information that is not directly under your control? Here is what ISO 27001 requires…

Why is it not only about suppliers?

blogpost-banner-27001-premium-en

Of course, suppliers are the ones that will handle sensitive information of your company most often. For example, if you outsourced the development of your company software, chances are that the software developer will not only learn about your company processes – they will also have access to your live data, meaning they will probably know what’s most valuable in your company; the same goes if you use cloud services.

But you also may have partners – e.g., you may develop a new product with some other company, and in this process you share with them your most sensitive research & development data in which you invested lots of years and money.

Then there are customers, too. Let’s say you are participating in a tender, and your potential customer asks you to reveal lots of information about your structure, your employees, your strengths and weaknesses, your intellectual property, pricing, etc.; they may even require a visit where they will do an on-site audit. All this basically means they will access your sensitive information, even if you don’t make any deal with them.

The process of handling third parties

So, how do you protect your information? Basically, to be compliant with ISO 27001 you should follow this process:

Handling_third_parties

Risk assessment (clause 6.1.2). You should assess the risks to confidentiality, integrity and availability of your information if you outsource part of your processes or allow a third party to access your information. For example, during the risk assessment you may realize that some of your information might be exposed to the public and create huge damage, or that some information may be permanently lost. Based on the results of risk assessment, you can decide whether the next steps in this process are necessary or not – for example, you may not need to perform a background check or insert security clauses for your cafeteria supplier, but you probably will need to do it for your software developer.

Screening (control A.7.1.1) / auditing. This is where you need to perform background checks on your potential suppliers or partners – the more risks that were identified in the previous step, the more thorough the check needs to be; of course, you always have to make sure you stay within the legal limits when doing this. Available techniques vary widely, and may range from checking the financial information of the company all the way to checking the criminal records of the CEO/owners of the business. You may also need to audit their existing information security controls and processes.

Selecting clauses in the agreement (control A.15.1.2). Once you know which risks exist and what is the specific situation in the company you have chosen as a supplier/partner, you can start drafting the security clauses that need to be inserted in an agreement. There may be dozens of such clauses, ranging from access control and labelling confidential information, all the way to which awareness trainings are needed and which methods of encryption are to be used.

Access control (control A.9.4.1). Having an agreement with a supplier does not mean they need to access all of your data – you have to make sure you give them the access on a “Need-to-know basis.” That is – they should access only the data that is required for them to perform their job.

Compliance monitoring (control A.15.2.1). You may hope that your supplier will comply with all the security clauses in the agreement, but this is very often not the case. This is why you have to monitor and, if necessary, audit whether they comply with all the clauses – for instance, if they agreed to give access to your data only to a smaller number of their employees, this is something you need to check.

Termination of the agreement. No matter whether your agreement has ended under friendly or less-than-friendly circumstances, you need to make sure all your assets are returned (control A.8.1.4), and all access rights are removed (A.9.2.6).

Focus on what’s important

So, if you are purchasing stationery or your printer toners, you are probably going to skip most of this process because your risk assessment will allow you to do so; but when hiring a security consultant, or for that matter, a cleaning service (because they have access to all your facilities in the off-working hours), you should carefully perform each of the six steps.

As you probably noticed from the above process, it is quite difficult to develop a one-size-fits-all checklist for checking the security of a supplier – rather, you should use this process to figure out for yourself what is the most appropriate approach to protect your most valuable information.

Click here to see an example of  Supplier Security Policy.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

  • illeac

    Example:
    Access control (control A.9.4.1). “…..you have to make sure you give them the access on a “Need-to-know basis.”…”

    Hold on – this assumes that the third party does NOT HAVE any form of “super-user” or “admin” privileges over your data/applications/network stack and that such a requirement is feasibly and reliably implemented and enforced. This in turn means that you know the structure of the security architecture and its limitations, e.g. DAC vs FMAC/MAC, etc.. It indicates, via this clause, that any obsolete DAC/RBAC scheme is not suitable and that a minimum of, say, Redhat RHEL 6 or 7 with SELinux (LLSP) activated, or an equivalent, is a requirement. In turn this then needs to be verified under International Standard IS 15408 (the Common Criteria) at, say, at least EAL4 assessment level. Any other approach would appear to be simply “you” guessing and that is rather worthless!

  • Abhi

    Thank you Dejan. Good information.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Upcoming free webinar
ISO 27001: An overview of the ISMS implementation process
Wednesday - June 7, 2017
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933