Third-party risk management is a crucial part of an organisation’s information security practices, with suppliers often introducing vulnerabilities that can have devastating knock-on effects.
According to a Ponemon Institute and RiskRecon study, between 2021 and 2022, over half of organisations suffered a data breach caused by a third party.
To mitigate the risk, organisations must perform a risk assessment to identify weaknesses in third-party relationships. From there, they should implement appropriate controls that protect their systems and guide suppliers towards more robust defences.
Any discussion of information security risk assessments will naturally focus on ISO 27001. It’s the international standard for information security management and provides a framework to help organisations manage the three pillars of data protection: people, processes and technology.
ISO 27001 compliance is centred around the risk assessment. The framework ensures that organisations identify weaknesses that are specific to their operations and that they understand the threat level that each risk presents.
When combined with ISO 27063 – another standard in the ISO 27000 family, with a particular focus on information security and supplier relationships – organisations can be confident in their defence mechanisms.
ISO 27001 third-party risk management requirements
The security controls for third-party risk management can be found in Annex A.15 of ISO 27002, the supplementary standard to ISO 27001.
Its requirements are listed below, starting with Annex A.15.1 – Information Security in Supplier Relationships. This section contains controls that “ensure the protection of the organisation’s assets that are accessible by suppliers.”
It states that organisations must:
15.1.1 a)
Identify and document “the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information”.
15.1.1 b)
Implement “a standardised process and lifecycle for managing supplier relationships”.
15.1.1 e)
Implement “processes and procedures for monitoring adherence to established information security requirements for each type of supplier and type of access, including third party review and product validation”.
15.1.1 h)
Create policies and procedures that address the “handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers”.
15.1.1 i)
Adopt “resilience and, if necessary, recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party”.
15.1.1 l)
Create and sign an agreement stating “conditions under which information security requirements and controls will be documented”.
15.1.1 m)
Manage “the necessary transitions of information, information processing facilities and anything else that needs to be moved, and [ensure] that information security is maintained throughout the transition period.”
The requirements continue in Annex A.15.1.2 – 15.1.2 Addressing Security in Supplier Agreements.
This section contains controls to ensure that “all relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information”.
It states that organisations must:
15.1.2 d)
Agree with the supplier to a “set of controls including access control, performance review, monitoring, reporting and auditing”.
15.1.2 g)
Create “information security policies relevant to the specific contract”.
15.1.2 m)
Enshrine the “right to audit the supplier processes and controls related to the agreement”.
15.1.2 n)
Implement “defect resolution and conflict resolution processes”.
15.1.2 p)
Document the “supplier’s obligations to comply with the organization’s security requirements”.
The next section is Annex A.15.1.3 – Information and Communication Technology Supply Chain.
Its controls ensure that “agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain”.
It states that organisations must:
15.1.3 d)
Document “a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements”.
15.1.3 f)
Obtain “assurance that critical components and their origin can be traced throughout the supply chain”.
The final section is Annex A.15.2 – Supplier Service Delivery Management, which contains controls “to maintain an agreed level of information security and service delivery in line with supplier agreements”.
It states that organisations must:
15.2.1 a)
“Monitor service performance levels to verify adherence to the agreements”.
15.2.1 c)
“Conduct audits of suppliers, in conjunction with a review of independent auditor’s reports, if available, and follow-up on issues identified”.
15.2.1 g)
“Review information security aspects of the supplier’s relationships with its own suppliers”.
15.2.1 h)
“Ensure that the supplier maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster”.
ISO 27036 third-party risk management requirements
The requirements of ISO 27036 mirror those of ISO 27001 in several key areas, meaning compliance with one will usually mean compliance with the other.
It’s divided into two sections, starting with Information Security in Supplier Relationship Management.
It states that organisations must:
6.1.1.1 Agreement processes / Acquisition process / Objective
“Establish a supplier relationship strategy that is based on the information security risk tolerance of the acquirer,” and that “defines the information security foundation to use when planning, preparing, managing and terminating the procurement of a product or service”.
6.2.1 Organisational project-enabling processes / Life cycle model management process
Establish, along with the supplier, “the life cycle model management process when managing information security in supplier relationships”.
6.2.2.1 Organizational project-enabling processes / Infrastructure management process / Objective
“Provide the enabling infrastructure to support the organization in managing information security within supplier relationships”.
6.2.2.2 Organizational project-enabling processes / Infrastructure management process / Activities
“Define, implement, maintain and improve contingency arrangements to ensure that the procurement or the supply of a product or service can continue in the event of its disruption caused by natural or man-made causes.”.
6.2.3.2 Project portfolio management process / Activities
“Define, implement, maintain and improve a process for identifying and categorizing suppliers or acquirers based on the sensitivity of the information shared with them and on the access level granted to them to acquirer’s or supplier’s assets, such as information and information systems”.
6.3.4.1 Project processes / Risk management process / Objective
“Continuously address information security risks in supplier relationships and throughout their life cycle including re-examining them periodically or when significant business, legal, regulatory, architectural, policy and contractual changes occur”.
6.3.7.1 Project processes / Measurement process / Objective
“Collect, analyse, and report information security measures related to the procurement or supply of a product or service to demonstrate the maturity of information security in a supplier relationship and to support effective management of processes”.
The requirements continue in the second section, Information Security in a Supplier Relationship Instance.
It states that organisations must:
7.2.1 Supplier selection process / Objectives
“Select a supplier that provides adequate information security for the product or service that may be procured”.
7.4.1 Supplier relationship management process / Objectives
“Maintain information security during the execution period of the supplier relationship in accordance with the supplier relationship agreement”.
They must do this by monitoring and enforcing compliance of the supplier with information security provisions defined in the supplier relationship agreement.
7.5.1 Supplier relationship termination process / Objectives
“Protect the product or service supply during termination to avoid any information security, legal and regulatory impacts after the notice of termination”.
They must also terminate the product or service supply in accordance with the termination plan.
Information security risk assessments made easy
If you’re looking to get started with the risk assessment process, Vigilant Software’s vsRisk software package is the ideal solution.
It provides a simple and fast way to deliver repeatable and consistent information security risk assessments year after year.
Plus, its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.
We’re currently offering a free 30-day trial of vsRisk. Simply add the number of licenses you require to your basket and proceed to the checkout.
