Show me desktop version
CALL US +1 (646) 759 9933

The ISO 27001 & ISO 22301 Blog

Which security clauses to use for supplier agreements?

Running a business on your own these days is practically impossible. Maintaining high levels of performance in every aspect of your business to stay competitive means draining precious resources that would be better invested in business growth and diversification. Thus, using suppliers becomes an attractive alternative.

But, while suppliers are becoming vital to every organization’s operations, this scenario introduces new risks that must be considered. For information security, valuable and sensitive information will now be handled by suppliers, and without proper treatment, this leads to increased risk of information confidentiality, integrity, or availability being compromised.

In the article 6-step process for handling supplier security according to ISO 27001 we presented an overview of an ISO 27001-based process to manage suppliers’ security. Now, this article will detail some security clauses you should seriously consider in supplier contracts to ensure proper protection of aspects of your business operations that are under suppliers’ control.

Why include security clauses in outsourcing contracts?

blogpost-banner-risk-en

In short: security should be considered a deliverable, just like any other product or service an organization expects from its supplier.

When an organization runs a process to deliver products or services to its client, and adopt best practices like ISO 9001 or ISO 27001, it defines controls to ensure the process is performed with minimized risks to achieve established requirements (e.g., measuring points at critical steps, redundancies, etc.).

When an organization decides that outsourcing is a better cost-benefit option, it should not only consider the product or service to be delivered, but also ensure that related processes are properly implemented and controlled by means of security clauses, and most times this is not done, or verified, properly.

Security clauses to handle outsourcing risks

To ensure that the benefits of outsourcing operations outweigh the risks of including providers in the scenario, contracts should be written properly, and ISO 27001 control A.15.1.2 (Addressing security within supplier agreements) requires an organization to consider security clauses in contracts. Some examples of security clauses are:

Right to audit: clause ensuring the organization has the right to audit and test the security controls periodically, or upon significant changes to the relationship.

Notification about security breaches: clause requiring the provider to inform the organization in a timely manner regarding any security breaches that may impact the organization’s business. Generally, this clause is related to data breach notification laws that affect either the organization or the provider, or both.

Adherence to security practices: clause requiring the provider to adhere to the organization’s security practices, and to communicate any situations where this adherence is not achievable, helping to prevent security gaps or conflicts that could impair security performance.

Response time to vulnerabilities: clause requiring the provider to provide, in a timely manner, proper treatment for known vulnerabilities that may impact the organization’s business.

Demonstration of compliance: clause requiring the provider to provide independent evidence that its operations and controls comply with contractual requirements. This can be achieved, for example, by a third-party audit agreed upon by the provider and the organization.

Management of supplier’s supply chain risks: clause requiring the provider to ensure, within its own supply chain, the fulfillment of the same security clauses applied to the provider.

Communication of changes: clause requiring the provider to inform the organization in a timely manner regarding changes in its environment that may impact the organization’s business.

Maintenance of service levels: clause requiring the provider to inform the organization regarding its plans to ensure service levels in normal conditions and during disruptive events, on either the organization’s or the provider’s premises.

You should note this is not a definitive list and other clauses may arise from risk assessments, and that all contractual clauses should be reviewed by legal personnel to ensure proper wording and application.

Tailoring clauses to specific needs

Even though it may seem like a good idea to include all of these clauses in all of your contracts with suppliers, you should avoid this. Why? Because treating all suppliers the same way doesn’t make sense. Each one of them has a different relationship with you, and imposing all of these clauses on every supplier may render your contracts too costly, or severely restrict your options regarding which suppliers can comply with them.

To define which clauses to apply, you should focus on each supplier’s risks, by means of surveys, questionnaires, and gathering of controls documentation during supplier selection. To help you manage information on multiple suppliers, you can use criteria like:

  • categorizing suppliers based on what they do for you
  • prioritizing suppliers based on information you share with them, or information they may have access to

Do not let your suppliers’ risks affect your business

Handing over part of their operational activities to a capable partner through outsourcing is an option organizations cannot ignore anymore, but this does not mean that outsourcing should be managed without care regarding security.

By adopting ISO 27001 requirements and recommendations, an organization can benefit not only from better operational performance, but also from reduced costs of managing and monitoring third-party risks, including those on the provider’s own supply chain, greater agility in responding to risks in the environment as they arise, and the capacity to allocate resources on the development and growth of its core business.

To learn more about how ISO 27001 implementation can help you define security clauses for contracts with suppliers, try our free online training ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

  • Gary

    That’s a good list of clauses but there’s another important topic area worth including, namely the arrangements for relationship management. Think through, discuss and agree how the relationship will be managed under routine and exceptional circumstances. I’m talking about things such as: aligned strategic goals or objectives for both parties (more than just “Do X, get paid $Y”, what value is being sought and offered/generated that benefits both parties?); reporting and metrics; regular meetings (frequency, agenda, attendance, circulation of minutes/notes, raising exceptional business, poaching workers from the other side); governance arrangements on both sides, with clear accountabilities and role & responsibilities; notification and escalation paths in case of issues or concerns, including how to handle disputes, performance issues and risks within the combined team; and perhaps a diary of key events (such as those audits you mentioned, plus performance reviews and contract renewal/renegotiation). This is conventional practice for strategic relationships in forward-thinking organizations, but I’m raising it here because of the value for information security too – especially for business-critical products (goods and services) and those with significant information, IT, information risk, information security, privacy or compliance content.

    Identifying shared goals is a wonderful opportunity to turn a potentially adversarial relationship into something much closer and more productive for both parties, more capable of surviving and resolving information and other business incidents.

    • Rhand Leal

      I agree with you that all the topics you mentioned are important, and talking about them properly would cover more then two or three articles. We choose some examples we considered readers could take immediate action and cover the basics of information security, but we also provide a link for material with additional clauses they should consider (link in “security clauses” https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/). There you will see that most of your suggestions are covered.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Upcoming free webinar
How to sell ISO consulting services
Wednesday - September 13, 2017

OUR PARTNERS


  • Exemplar Global (formerly RABQSA) is leading international
    authority in certification of training providers.

  • ITIL® is a registered trade mark of AXELOS Limited.
    Used under licence of AXELOS Limited. All rights reserved.

  • DNV GL Business Assurance is one of the leading providers of
    accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933