As required, by Annex A.15.1 of ISO 27001: Information Security in Supplier Relationships, you are required to thoroughly consider and evaluate your relationship with suppliers and other third parties such as partners through the lens of security, access to information, and potential impact on your assets.
In practice, this means that you need to adopt certain processes and controls to identify, monitor, and manage security risks across supplier relationships taking into consideration the following requirements:
- Information security in supplier relationships required to protect assets that may be shared with or accessed by suppliers.
- Information security policy for supplier relationships required to identify, oversee and manage the risks related to the supplier’s access to the organization’s assets.
- Addressing security within supplier agreements required to establish and agree on relevant security risks and requirements with each supplier that may access, process or store information, or provide IT infrastructure services.
- Supplier service delivery management required to maintain compliance with supplier agreements within the agreed service levels.
In order to improve business and processes between your organization and suppliers, several important aspects of supplier management must be considered. Hence, to ensure compliance with the ISO 27001 standard, you need to implement a set of controls and processes that aim to address the risks associated with the engagement of suppliers.
When implementing a set of controls and processes to address suppliers’ risks, the following could be considered:
- Executing contractual agreements with each supplier. The agreements may vary significantly among the different types of suppliers; however, consideration should be always given to the specific information security requirements and obligations.
- Maintaining a current and easily accessible list of your suppliers is crucial to maintaining and addressing information security in supplier relationships.
- Formulizing the Supplier Management Policy and Procedures that describes the required procedural steps to ensure compliance with the ISO 27001 norm.
- Implementing suppliers change management processes and controls
- Where possible and proportionate to the services provided, ensuring that suppliers meet the contractual information security requirements by monitoring, reviewing and conducting audits of suppliers on a regular basis
- Determining and adequately documenting, if applicable, whether suppliers have access to your IT infrastructure and other relevant tools and applications
- Determining and adequately documenting, if applicable, whether suppliers have access to data, in particular personal data
- Determining and adequately documenting, if applicable, whether suppliers may be involved in security procedures
- Performing the relevant Supplier Risk Security Assessment, as included in Compleye Online and guided by the Wiki Supplier Risk Assessment section
To assist your organization in maintaining and safeguarding records of suppliers, Compleye Online provides a comprehensive overview of suppliers and further support the performance of supplier risk profiling, as well as supplier risk assessments, if required. The principal functionalities of the Supplier Overview section are specifically designed to capture the necessary supplier information.
The Supplier Overview has been divided into the following section:
This section refers to a supplier overview that captures the supplier information and description of services, as well as supporting documentation that can be further used for identifying, grouping, and evaluating supplier relationships.
Consider the following key points when completing the Supplier General Section:
- A full and correct supplier name should be recorded under the Supplier Name title field. Once you have added a new supplier, you will not be able to change the supplier’s name, unless the whole section is deleted, therefore, care should be taken when adding and naming a supplier.
- Add the Supplier Profile under the Profile Tab by selecting the predefined supplier profiles listed under the drop-down list. If you are unable to find the appropriate supplier profile in the drop-down menu, select the “other” option and specify the supplier profile under the “other” field that will appear in the overview. By choosing the correct supplier profile, you will not only group the suppliers but you will be also able to search for a particular supplier in the supplier overview.
- The supplier overview requires you to include the basic supplier information such as service description, HQ supplier, Jurisdiction of a supplier, and Contact Details that should be further populated with the correct and up-to-date information.
- Please specify the type, runtime, and date of executing a contractual agreement. For the purpose of centralizing supplier records that could potentially be used during internal and external audits, as well as to facilitate supplier risk assessment, it is also recommended to upload the signed supplier contractual agreements.
- If a supplier is given access to IT Infrastructure or any other IT components held and managed by the organization, please select and tick the box ‘is part of Software Access’. By ticking the box, the supplier will automatically appear in the Access Management Section as an option.
- Compleye Online also provides the ‘Export All’ function that allows you to export the supplier information into an excel file that could be used and shared by your organization when needed. Please also note that uploaded documents can be downloaded from view mode only rather than from an edit mode.
The Compliance Section will help you identify and determine the information required to assess whether the supplier’s adopted security safeguards, as well as privacy measures, are sufficient and adequate to protect your assets. A thorough evaluation and completion of this section will greatly support your compliance with ISO 27001 standard and will form a basis for any further risk assessments if required.
Consider the following key points when completing the Supplier Compliance Section:
- Compliance-related information can be sourced from supplier websites, contractual agreements, publicly available information or communicated directly by a supplier in a security statement or any other applicable document.
- It is recommended to determine whether a supplier complies with the GDPR requirements and reflect this information under the ‘GDPR Policy in Place’ checkbox. To achieve this, you may simply request or locate the publicly available Privacy Statement and determine if the key GDPR requirements are addressed. Please be advised to also upload the Supplier Privacy Statement the Compliance Section.
- You need to determine whether a supplier is IS0 27001 certified and record this information accordingly under the Compliance Section. The certification status is important, as it may have an impact on the risk assessment in the event of a supplier being regarded as high risk.
- If a supplier holds any other certification such as SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity, please record and document this information in the Compliance Section. If an actual certification or any other evidence is available, please make sure that such documentation is also uploaded to this section.
- Subject to the scope of services and also depending on the contractual and business relationship, you may execute a number of various contractual agreements that formalize the relationship between you and the supplier. This may include, but is not limited to the following:
- Non-Disclosure Agreement or any other type of Confidentiality Agreements.
- Terms and Conditions or any other universal users’ terms that are agreed upon with a supplier.
- Data Processing Agreement that regulates any personal data processing activities conducted for business purposes.
- Service Level Agreement that defines the level of service expected from a supplier.
- Any other contractual agreements executed with a supplier for the purpose of providing serviced agreed.
All of the above agreements, if signed and available, should be uploaded to the Compliance Section as evidence. Having this particular section thoroughly completed and the agreements uploaded will greatly support your organization during both internal and external audits.
To facilitate the definition and classification of individual risk profiles, the Compleye Online Risk Profile Section supports you in assigning and maintaining the risk profiles for each of your suppliers.
Consider the following key points when completing the Supplier Risk Profile Section:
- Establish adequate risk criteria against which the importance of a risk is evaluated and selected. To assist you in this process, we have established the risk criteria that you can use as guidance, as outlined below.
- For the purpose of supplier risk profiling consistency and transparency, it is recommended to include the adopted risk criteria in the Procedure / Info section and be further used for each supplier.
Supplier has no access to information and data, including personal data and/or source code
Supplier only has access to metadata on information and data, including personal data and/or source code
Supplier has no access to information and data, including personal data and/or source code
In the event of a supply interruption switching to a comparable service is relatively easy/
A supply interruption causes short-term problems within important business processes
A supply interruption causes mid-term to long term problems within important business processes
Supplier has no direct effect or influence on the quality or performance of products delivered or services provided by the organization.
Supplier has certain effect or influence the quality or performance of product delivered or services provided by the organization.
Supplier has a significant effect or influence the quality or performance of product delivered or services provided by the organization.
- The accepted Risk Criteria should be also reflected in a Supplier Management-related policy and Procedure. The quality risk is not deemed mandatory in the ISO 27001 certification, however, to achieve a more comprehensive and reliable risk profiling, it is recommended to consider the quality risk when evaluating supplier relationships, particularly, when the quality of services may have an impact on business functions.
- Based on the evaluation and information gathered in the General and Compliance Sections, you need to determine the most appropriate risk profile for each individual supplier taking into consideration the agreed risk criteria. The Supplier Risk Profiling required to determine the Initial Risk Score has been divided into three categories: High, Medium or Low.
- The following four check boxes should be considered and updated at a later stage and as part of the ISO 27001 implementation process:
- Part of outsourced ISO27001 jobs (Statement of Applicability)
- Stakeholder in access management overview (Certification Process)
- Access to restricted data (Data Classification)
- Involved in security procedures (Policies & Procedures)
|Name||Free text field||Compleye|
|Owner||Select owner from a drop-down menu function.||[Name team member]|
|Status||Select status from a drop-down menu, options are Active or Inactive.||Active|
|Profile||Select a business profile from a drop-down menu, options are: Business Services Provider MarCom Office Tools Project Management Tools Third-Party Data Provider Documentation Storage Other||Business Services|
|Supplier Headquarters||Indicate suppliers’ headquarter in a free text format.||Amsterdam, The Netherlands|
|Jurisdiction of Supplier||Indicate supplier’s country of residence in a free text format.||Amsterdam|
|Type of Contract||Indicate contract type in a free text format.||Paid Subscription|
|Date of Contract||Select a date using an embedded calendar.||[date picker]|
|+Upload Document||[Upload the confirmation of Assignment]|
|Run Time||Specify service run time in a free format text.||1 year|
|Used Since||Select a date using an embedded calendar.||[date picker]|
|Closed Since||Select a date using an embedded calendar.||–|
|Main Contact||Indicate the main contact in a free text format.||Karolin Kruiskamp|
|Contact Details||Indicate contact details in a free text firstname.lastname@example.org|
|Field Name||Value||Example / tips|
|Terms & conditions available||Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.||[selection]|
|GDPR policy in place||Select the checkbox to indicate an affirmative choice.||[some suppliers have specific GDPR policies or statements available, most of them are available on the website of the supplier]|
|NDA/Confidentiality agreement signed||Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.||[selection]|
|Data process agreement||Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.||[if yes, add the DPA in the DPA overview under Section Legal & Compliance – GDPR]|
|Software license agreement||[selection, if yes add the SLA to this section]|
|Certifications||[check on the website what kind of certifications are more in place .. e.g. ISO9001, SOC-2, etc.]|
|Extra Info||Include any additional information, if available.||[what ever info you think might be valuable – and use this section also for notes if there are changes]|
|Upload Document||Upload relevant documents, if available.|
|Risk Criteria||Include prescribed risk criteria in a free text format.||[Use the content in Wiki as an example, adjust if needed, and add to the Criteria info box in Procedure/Info section]|
|Information Security Risk||Select determined risk profile from a drop-down menu, options are Low, Medium, High.||Low|
|Business Continuity||Select determined risk profile from drop-down menu options are Low, Medium, High.||Medium|
|Upload Document||Upload relevant document, if available.|
|Part of Outsourced ISO27001||Select the checkbox to indicate an affirmative choice.|
|Stakeholder in Access Management Overview||Checkbox combined with Descriptive Free Text.|
|Access to Restricted Data Resources|
|Involved in Security Procedure|