{"id":4516,"date":"2014-06-30T18:48:21","date_gmt":"2014-06-30T18:48:21","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/06\/30\/6-step-process-for-handling-supplier-security-according-to-iso-27001\/"},"modified":"2025-07-10T08:34:17","modified_gmt":"2025-07-10T08:34:17","slug":"6-step-process-for-handling-supplier-security-according-to-iso-27001","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2014\/06\/30\/6-step-process-for-handling-supplier-security-according-to-iso-27001\/","title":{"rendered":"6-step process for handling supplier security according to ISO 27001"},"content":{"rendered":"

Updated: March 22, 2023, according to the ISO 27001 2022 revision.<\/em><\/p>\n

Since more and more data is being processed and stored with third parties, the protection of such data is becoming an increasingly significant issue for information security professionals \u2013 it\u2019s no wonder that the new 2022 revision of ISO 27001<\/a> has dedicated a set of controls in Annex A to this issue.<\/p>\n

But how is it possible to protect the information that is not directly under your control? Here is what ISO 27001 requires when it comes to supplier relationships, supplier information security requirements, and the information security policy<\/a>.<\/p>\n

\n
The process of handling third parties according to ISO 27001:<\/div>\n
\n
    \n
  1. Risk assessment<\/li>\n
  2. Screening agreement<\/li>\n
  3. Access control<\/li>\n
  4. Monitoring<\/li>\n
  5. Termination<\/li>\n<\/ol>\n<\/div>\n<\/div>\n

    S<\/strong>upplier relationship and third parties – Why is it not only about suppliers?<\/strong><\/h2>\n

    In supplier relationships, suppliers are the ones that will handle sensitive information of your company most often. For example, if you outsourced the development of your company software, chances are that the software developer will not only learn about your company processes \u2013 they will also have access to your live data, meaning they will probably know what\u2019s most valuable in your company; the same goes if you use cloud services.<\/p>\n

    But you also may have partners \u2013 e.g., you may develop a new product with some other company, and in this process you share with them your most sensitive research & development data in which you invested lots of years and money.<\/p>\n

    Then there are customers, too. Let\u2019s say you are participating in a tender, and your potential customer asks you to reveal lots of information about your structure, your employees, your strengths and weaknesses, your intellectual property, pricing, etc.; they may even require a visit where they will do an on-site audit. All this basically means they will access your sensitive information, even if you don\u2019t make any deal with them.
    \n

    <\/div>