In this ultimate guide I show you everything you need to know about the ISO 27001 Supplier Security Policy and exactly what you need to do to satisfy it to gain ISO 27001 certification.
We will get to grips with what supplier management is, understand why organisations need a Supplier Security Policy, show you how to write one, and let you in on trade secret’s that’ll save you hours of time and effort, simply by using this ISO 27001 Supplier Security Template.
I am Stuart Barker: founder of High Table, Information Security expert and ISO 27001 Ninja, and this is the ISO 27001 Supplier Security Policy.
What is ISO 27001 Supplier Security?
ISO 27001 supplier security is securing the supply chain. Organisation rely on third party suppliers to provide products and services that they use as part of their solution. The security of these suppliers is outside of the control of the organisation yet it represents one of the biggest risk to information security and the protection of data.
Supplier security is about putting in a policy and processes to manage the risks that suppliers can pose to information security and to be able to gain a level of assurance that they are doing the right thing based on the organisations risk appetite.
What is an ISO 27001 Supplier Security Policy?
The ISO 27001 Supplier Security Policy sets out the guidelines and framework for how you identify, prioritise, test and monitor third party suppliers.
The Supplier Security Policy addresses known vulnerabilities by ensuring that third party suppliers follow and meet best practice standards for information security and can demonstrate their compliance.
It is about securing the supply change and managing risks that are outside of your direct control.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
ISO 27001 Supplier Security Policy Template
The ISO 27001 Supplier Security Policy is pre written and ready to go. It is designed to save you over 8 hours of work. ISO 27001 templates are an absolute time and life saver.
What is the Purpose of the ISO 27001 Supplier Security Policy
The purpose of the ISO 27001 Supplier Security Policy is to ensure third party suppliers can demonstrate compliance with industry standards for information security for the products and services that we have purchased from them.
What it the ISO 27001 Supplier Security Policy Principle?
Suppliers and prioritised based on risk and business need and those of a high priority must have industry standard certifications for information security or be managed via risk management.
Why is an ISO 27001 Supplier Security Policy Important?
The Supplier Security policy is important as it sets out clearly and in written form what you expect to happen. If you don’t tell people what you expect of them then how can you expect them to do it? Communicating what is expected is a key step in any HR disciplinary process with many not being enforceable or actionable if you have not told people what to do and got them to accept that they understand what is being asked. The ISO 27001 standard wants you to have the Supplier Security policy in place, communicated, and accepted by staff as part of your ISO 27001 certification. It actually forms part of a wider set of required information security policies that are all included in the ISO 27001 toolkit.
What should a ISO 27001 Supplier Security Policy Contain
The ISO 27001 Supplier Security Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example acceptable use policy table of contents would look something like this:
1 Document Version Control
2 Document Contents Page
3 Third Party Supplier Security Policy
3.1 Purpose
3.2 Scope
3.3 Principle
3.4 Third Party Supplier Register
3.5 Third Party Supplier Audit and Review
3.6 Third Party Supplier Selection
3.7 Third Party Supplier Contracts, Agreements and Data Processing Agreements
3.8 Third Party Supplier Security Incident Management
3.9 Third Party Supplier End of Contract
4 Policy Compliance
4.1 Compliance Measurement
4.2 Exceptions
4.3 Non-Compliance
4.4 Continual Improvement
5 Areas of the ISO27001 Standard Addressed
How to write an ISO 27001 Supplier Security Policy
1. Identify your suppliers
Identify what suppliers your company has. Once we know what suppliers we have we know what we need to manage.
The two methods I recommend for identifying suppliers are:
- Speak to finance for everyone you have paid in the last 18 months and then sanitise that list for suppliers that provide goods and services to the ISO 27001 In Scope ‘thing’ you are getting ISO 27001 certified.
- Speak to each department, especially IT, marketing and sales who often use suppliers and do not follow the normal processes. It is not unusual for suppliers to be engaged and paid on credit cards, company cards and reclaimed via expenses and therefore will potentially not appear on the finance list of suppliers.
2. Prioritise your suppliers
Once you identify what assets you rely on to conduct business priorities them based on the importance to the business, the classification of the data that is stored, processed or transmitted through them and the risk they pose to you. Prioritising assets allows us to focus our efforts on the protection of the things that are most important to us. Consider the split between production systems and end point devices.
3. Record your suppliers
Create a record of your suppliers. You can create this from scratch or get a copy of the ISO 27001 supplier security register.
3. Create your supplier audit schedule
Based on the supplier and its priority create an audit schedule. The usual practice is to audit suppliers at least annually.
4. Audit your suppliers
Create your supplier audit process. As a minimum this process will check that you have a legally binding agreement, such as a contract, in place with the the supplier. That the agreement includes commitments for information security. In addition you will get a copy of industry standard certifications and check that they are in date and cover the services that you have acquired from them.
5. Communicate the supplier security policy to appropriate staff
Consider as part of your required communication plan the different ways and timings that are appropriate to you to communicate the supplier security policy. Make sure it is stored somewhere that people can easily access it at any time and that they can, indeed, access it.
6. Get evidence that the staff have accepted the Supplier Security Policy
Using your acceptance methodology get staff to accept that they have read and understand the policy and accept its terms. Maintain evidence of this for future audit and potential disciplinary process.
7. Manage Exceptions
There may be suppliers that you can get certificates or assurance for. These should be identified, recorded, agreed and managed via risk management with effective compensating controls in place.
ISO 27001 Supplier Security Policy Example
An ISO 27001 Supplier Security Policy example would look like this extract:
You can view the ISO 27001 Supplier Security Policy PDF
What are the benefits of an ISO 27001 Supplier Security Policy?
Other that your ISO 27001 certification requiring the following are benefits of having the ISO 27001 Supplier Security Policy:
- Improved security: Your suppliers will be implementing best practice for information security reducing the likelihood and impact of an attack
- Reduced risk: Having suppliers that are managing information security will reduce the risk of a data breach.
- Improved compliance: Standards and regulations require suppliers to manage information security effectively
- Reputation Protection: In the event of a breach having effective supplier management will reduce the potential for fines and reduce the PR impact of an event
Who is responsible for the ISO 27001 Supplier Security Policy?
Supplier Management is the responsibility of the Supplier Manager.
If you do not have a dedicated supplier manager then this role often falls the finance team with accountability being with the CFO.
DO IT YOURSELF ISO27001
Stop Spanking £10,000’s on Consultants and ISMS Online Tools
What are examples of a violation of the ISO 27001 Supplier Security Policy?
Examples of where the policy can fail or violations of the ISO 27001 Supplier Security Policy can include:
- Not having a full list of suppliers. Not knowing what you are suppliers are means you cannot protect them
- Suppliers cannot evidence information security best practice. This is usually that they do not have industry standard certifications. In this case the violation occurs if you are not managing them via risk management and cannot evidence the risk management is in place.
- Not prioritising suppliers based on risk.
- Not managing exceptions. There maybe suppliers that cannot be secured and this will require special management and compensating controls.
What are the consequences of violating the ISO 27001 Supplier Security Policy?
Not getting assurance that suppliers are effectively managing information security can have severe consequences. We rely heavily on our suppliers. The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue and in the most extreme cases risk to life and closure of your organisation.
How do you monitor the effectiveness of the ISO 27001 Supplier Security Policy?
The approaches to monitoring the effectives of supplier management include:
- Reporting on the status of suppliers, contracts and their industry standard security certificates
- Internal audit of the supplier process
- External audit of the supplier process
- Review of suppliers for anomalies in operation
ISO 27001 and the ISO 27001 Supplier Security Policy
The Supplier Security Policy satisfies the following clauses in ISO 27001:
ISO 27001 Annex A Control 5.19 Information security in supplier relationships
ISO 27001 Annex A Control 5.20 Addressing information security within supplier agreements
ISO 27001 Annex A Control 5.21 Managing information security in the ICT supply chain
ISO 27001 Annex A Control 5.22 Monitoring, review and change management of supplier services
ISO 27001 Annex A Control 5.23 Information security for use of cloud services