How ISO Standards Address Third-party Risk Management

ISO is one of the most widely used vendor risk management frameworks. Certification to ISO/IEC 27001 is usually not mandated unless a client requires it to enter into a contract with them. Even so, any organization with sensitive information can find compliance with ISO 27001 useful and effective. 

The popular international standard was developed by ISO, the International Organization for Standardization. It defines the requirements of an information security management system (ISMS) and has achieved international acclaim.

ISO 27001 outlines a system in which organizations identify information security risks and select appropriate controls to tackle them. Annex A lists all the controls. In all, there are 114 controls, and they are divided into 14 categories.

ISO 27001 uses a risk-based approach to systematically safeguard sensitive data across technology, people, and processes. This includes the third-party supply chain vendors As no business with third-party service providers is immune to data breach, the standard includes a category of controls that address third-party supplier and supply chain risks.

Why Do Third-Party Relationships Introduce Risk?

Reliance on vendors is a growing trend and is likely going to keep growing due to the evolving nature of our digital economy. But this also means the occurrence of the inevitable risk of exposure through third-party breaches. Only carefully executed vendor risk management programs will protect organizations from third-party cybersecurity risks, and even these are not foolproof.

An organization with a well-defined ISMS can protect its supply chain relationships as well as its corporate reputation. When your current suppliers understand that you have a solid defense against information security threats, they may look forward to long-term partnerships with your organization. Additionally, assuring the protection of their vital confidential information will help your company’s reputation inside the industrial supply chain. 

How are Supplier Relationships Defined in ISO 27001?

Under the ISO standard, managing supplier relationships means establishing and maintaining rules that keep shared information safe. Suppliers are any vendor or party that handles sensitive information. These connections may extend to business partners and consultants. Operations that involve supplier relationships range from outsourcing  IT services to academic research on product development. 

Third-party relationships have emerged as a category of their own in risk management solutions. On the one hand, they are excluded from an organization’s internal risk assessment process if the direct risks related to that third party cannot be reasonably treated by the organization. But on the other hand, can an organization simply disregard consideration of these issues under the guise that the third party is responsible for its own risks and controls? 

Definitely not.

An entity that engages with your company and has access to sensitive information cannot be blindly trusted to manage its risks properly. There is inherent risk in any outsourced relationship and the greater the criticality to the ISMS, the greater the risk to the organization. Management would be required to consider that risk and determine in what way that risk should be treated.

So, while an organization cannot include the controls of a third-party provider within their internal ISMS, ISO has a dedicated category of controls to evaluate and monitor third-party providers to ensure that they are acceptably implemented.

Which ISO Controls Address Third-Party Relationships?

Controls applicable to the management and monitoring of third-party service organizations are included within the ISO 27001 control set within the control A.15. 

What is Annex A.15?

Once your organization’s information is shared with a supplier, you may no longer have direct control over it, regardless of its sensitivity or worth. As a result, all external suppliers must be subject to suitable technological and contractual controls and mitigation mechanisms. This is where Annex A.15 comes in.

Annex A.15 covers everything from securing information handled by external suppliers to examining the supplier’s disaster recovery processes. It also covers the development of agreements for terminating a contract or unexpected turn of events in the relationship. 

Annex A.15 is all about controlling and managing the risks connected with vendors and suppliers to guarantee that your operations and data stay secure. 

Annex A.15 provides 2 major controls

1. Annex A.15.1: Information security in supplier relationships

Annex A.15.1 focuses on the protection of your information in supplier partnerships. In this case, the goal is to protect digital and informational assets that are accessible to vendors and suppliers.

2. Annex A.15.2: Supplier service delivery management

The goal of this control is to ensure that the degree of information security and service delivery agreed upon with suppliers is maintained.

It is critical to ensure that service providers meet the requirements of third-party contracts as soon as operations begin. This can include everything from the service’s availability to more specific details, such as the service provider’s security policies. A systematic assessment of services and controls is also required, as well as a close examination of service reports provided by third parties in order to verify that the data they contain is adequate and relevant.

An Outline of Controls in Annex A.15

• A.15.1.1: Information security policy for supplier relationships

It is essential that the supplier agrees to and documents information security requirements relating to the risk of access by suppliers to the organization’s assets. The risk assessment should be done whenever any company wishes to grant access to its supplier.

Organizations need to define and incorporate security information controls in their policies. These include:

1. Establishing which suppliers, such as those providing information technology (IT) and finance are readily available to the business.
2. Ensuring the accuracy and completeness of the information shared by both parties with each other.
3. Ensuring that all parties have access to information or processes in the event of a disaster. There must be a strategy for recovery and contingency.
4. Educating the personnel of the organization involved in acquisitions about the related policies, processes, and procedures.
5. Education on the acceptable rules of engagement and behavior depending on provider type and amount of supplier access to the system. 
6. Education on the rules of handling information of the organization for employees of those who deal with a staff of suppliers.
7. Signing a legal contract to safeguard the integrity of the connection.

• A.15.1.2: Addressing Security within supplier agreements

The information security requirements for any suppliers who see, process, store, communicate, or deliver IT infrastructure component information for the organization should be stated and agreed upon. This section shows how to define and accept your responsibilities, as well as record them securely under an applicable policy. 

• A.15.1.3: Information and communication technology supply chain

Supplier agreements include requirements to reduce the security risks connected with the IT services and the product supply chain. This means that if there’s a possibility of a data breach, the supplier and contractor will have to get in touch. Suppliers are required to describe how they dealt with minor risks, as well as how they assured the risk was eradicated, even if it is a small risk. Controlling supplier relations effectively requires using crucial services to track the supply chain’s history and its point of origin.

• A.15.2.1: Monitoring and review of supplier services

Supplier service delivery should be monitored, reviewed, and audited on a regular basis by companies. Information security terms and conditions must be followed and information security incidents and problems must be effectively handled through regular monitoring and assessment of service providers. 

• A.15.2.2: Managing changes to supplier services

Maintaining and upgrading existing information security policies, procedures, and controls is a key component of a well-managed control system. It considers the importance of business information, the nature of the change, the types of suppliers affected, the systems and procedures involved, and a reevaluation of risks. 

The closeness of the relationship and the organization’s ability to influence or manage the supplier should also be taken into account when making changes to suppliers’ services.

How can Centraleyes facilitate ISO Certification?

Centraleyes allows organizations to build custom questionnaires to develop risk assessments that are most relevant to the unique risk profiles of each asset or risk domain. This ensures you’re addressing the specific information security obligations each third-party vendor has agreed to and can be extended to fourth parties as well.

Vendor risk assessment results can be used to categorize vendors based on the levels of risk they pose to specific domains. This allows teams to efficiently distribute remediation efforts, focusing on vulnerabilities in the most critical assets.

Effectively implementing these controls improves your organization’s reputation from the perspective of potential customers and business partners. 

Centraleyes is here to help you on your journey toward ISO certification. Schedule a free consultation today.