Suppliers Assessment
Supplier Assessment is very important topics in ISO 27001. Especially for Technology Companies – as they are making use of so many suppliers, and sometimes they are not aware of it. You will need to be in control of your supplier – assess the high risk suppliers on a yearly base on a number of topics. You will need to review all suppliers on basic information and contract.
We already have a number of controls in place.
In Step 1, we have started with an overview of all Suppliers. [link to Supplier Overview] and we also have and in section Software Access, you can add that supplier has access to certain software.
Next to that in the Templates section- you can find the Supplier Management Procedure. In this Procedure we have defined a process that is supported by Compleye Online sections: Sections Supplier Overview and Supplier Assessment. The owner of the Supplier will need to perform the actual assessment. Multiple owners can be involved in these assessment, every owner will need to read this wiki and follow the steps.
First : Read the Supplier Management Procedure – and customize if needed (we do not advise you too). Approve it and add the final version (pdf) to the feature Procedure/Info.
Next: Check if you have added all information on the Supplier Overview and that you have profiled them (low, medium and high) on Security and Business Continuity. It is for ISO 27001 – not needed to profile the Quality. If all the information is added – Compleye Online selects automatically all suppliers that have a High Risk in their profile. All these suppliers are already visible in this section. You can add more suppliers – if you think it is important to assess them – by Add New (dropdown list of all suppliers from suppliers overview).
Final: When selecting a supplier you can use the yellow button Edit (top right corner) to start the actual assessment.The first choice you will have to make is defining if the supplier is ISO 27001 certified themselves. Depending on the choice, you will get different questions for assessment. Particularly for High Risk Suppliers – we advise only to work with ISO 27001 certified companies, otherwise you will need to perform extra checks and be even more in control. However if you work closely with suppliers and know them very well, it is easy to be more in control. On the top right box you can find the information of the supplier from the Supplier Overview you will have access to all information. So it will be more easy to fill in the actual assessment.
Now you will need to start working, by filling in all information. (see below) Helper buttons in place for support. You will do a number of checks and will end with defining the residual risk and perhaps come up with some improvements. Make sure you have addressed all the High Risk Suppliers that are assigned to you as an owner. Plan a meeting with C-level (or someone else from ISMS team) to evaluate the risk and improvement. That person will approve the the residual risk (with or without the improvement) and sign off – by making use of the Reviews & Approval of Residual Risk. Now you have finalized the supplier assessment – Congrats!!! this is a big step in being more in control of potential huge risks. Do not forget to add the improvements in the Improvement section .
Suppliers listed will already have some information pre filled with the Supplier Overview data, To perform the assessment click on edit (upper-right corner) and you will be prompted with 2 sets of questions based on your first selection – is the supplier ISO27001 certified or not.
Example 1 – High Risk Supplier ISO27001 certified
FieldName | Value / Description | Example |
supplier: | free text / prefilled | AWS |
Is ISO27001 certified: | yes / no | select yes |
Review the SoA: | free text field. [to confirm that you have retrieved and reviewed the latest Statement of Applicability from the supplier] | SoA – attached in Supplier Overview |
Cross Reference with SoA | free text field – check if all your outsourced jobs to this supplier are showing in scope on their SoA | All outsourced jobs are in scope with AWS |
How is communication with supplier organized | free text field – Indicate who is the person /department responsible for communicating with the supplier and specify the most used communication channel. | We have direct contact person – for our CTO. Communication takes place over the email. |
Is supplier involved in procedure? | free text field – confirm if the supplier either contributes to, participates in or plays a key role in the organization procedural documents. If so, confirm if such procedures have changed in the last 12 months and if the supplier has been informed about such changes when necessary | no direct involvement |
Was the supplier involved with incidents? | free text field – confirm if in the last 12 months the supplier has been involved in the either technical or privacy incidents and/or (quality) complaints recorded by the organisation. Describe the impact and CAPA in place. | 0 incidents in AWS environment this year |
Business continuity controls in place | free text field – confirm if the supplier has an effect on the business continuity control measure. If so, what are the identified risks and the implemented preventive controls? | Scaling services for additional data are in place. With automatic email confirmation. |
Quality performance controls in place | free text field – Confirm if the supplier influences the quality of product or services provided by the organization. If so, indicate the implemented controls to maintain and preserve the quality of products/services | no |
Define residual risk | Taking into consideration the above defined controls and measures, please define the residual risk | Residual risk is the result from annually performing PEN test on vulnerabilities on AWS |
Suggested improvements | If required, indicate the improvements that should be adopted to improve the implemented controls and measures to manage and oversee the ongoing relationship with the supplier | for next year we will need to improve our access management policy for AWS |
Example 2 – High Risk Supplier ISO27001 is NOT certified
FieldName | Value / Description | Example |
supplier: | free text / prefilled | Hotjar |
Is ISO27001 certified: | yes / no – this value is linked to supplier overview section as well, so by changing this value here it will be changed in Supplier Overview as well | selected – no |
How is communication with supplier organized? | free text field – Indicate who is the person /department responsible for communicating with the supplier and specify the most used communication channel. | There is no direct contact – via online helpdesk |
Reason supplier is not (yet) ISO27001 certified | free text field – provide the reason the supplier has not received the ISO27001 certification | I don’t know |
Review contract / SLA | free text field – confirm if the Contract / SLA executed with supplier was reviewed prior to signing taking into account the relevant Security, Quality and Business continuity factors. Review annually the contract / SLA, are there any changes that might have impact on security, privacy and/or quality? | SLA in place – online with KPIs |
Review DPA | free text field – if the DPA is in place, confirm if DPA has been reviewed and whether the ISO27001 standards or similar are adequately addressed/included | N/A |
Is security policy in place? | free text field – Conform if the security policy is in place. Add the copy of the document to the supplier overview. Is this policy sufficient for its purpose? | not available |
Is supplier involved in procedures? | free text field – confirm if the supplier either contributes to, participates in or plays a key role in the organisation procedural documents. If so, confirm if such procedures have changed in the last 12 months and if the supplier has been informed about such changes when necessary | no |
Was the supplier involved with incidents? | free text field – confirm if in the last 12 months the supplier has been involved in the either technical or privacy incidents and/or (quality) complaints recorded by the organisation. Describe the impact and CAPA in place. | no |
Data security controls in place | free text field – confirm if the supplier has been given access to the information and/or data held by the organization. If so, please confirm the adapted access management controls and whether the process was embedded in the access management policy. | AFTER |
Business continuity controls in place | free text field – confirm if the supplier has an effect on the business continuity control measure. If so, what are the identified risks and the implemented preventive controls? | we can easily change this supplier |
Quality performance controls in place | free text field – Confirm if the supplier influences the quality of product or services provided by the organization. If so, indicate the implemented controls to maintain and preserve the quality of products/services | not |
Define residual risk | Taking into consideration the above defined controls and measures, please define the residual risk | no risk |
Suggested improvements | If required, indicate the improvements that should be adopted to improve the implemented controls and measures to manage and oversee the ongoing relationship with the supplier | no improvement |
