ISO 27001 Supplier Security Policy: Ultimate Guide

Home / ISO 27001 Templates / ISO 27001 Supplier Security Policy: Ultimate Guide

In this ultimate guide I show you everything you need to know about the ISO 27001 Supplier Security Policy and exactly what you need to do to satisfy it to gain ISO 27001 certification.

We will get to grips with what supplier management is, understand why organisations need a Supplier Security Policy, show you how to write one, and let you in on trade secret’s that’ll save you hours of time and effort, simply by using this ISO 27001 Supplier Security Template.

I am Stuart Barker: founder of High Table, Information Security expert and ISO 27001 Ninja, and this is the ISO 27001 Supplier Security Policy.

What is ISO 27001 Supplier Security?

ISO 27001 supplier security is securing the supply chain. Organisation rely on third party suppliers to provide products and services that they use as part of their solution. The security of these suppliers is outside of the control of the organisation yet it represents one of the biggest risk to information security and the protection of data.

Supplier security is about putting in a policy and processes to manage the risks that suppliers can pose to information security and to be able to gain a level of assurance that they are doing the right thing based on the organisations risk appetite.

What is an ISO 27001 Supplier Security Policy?

The ISO 27001 Supplier Security Policy sets out the guidelines and framework for how you identify, prioritise, test and monitor third party suppliers.

The Supplier Security Policy addresses known vulnerabilities by ensuring that third party suppliers follow and meet best practice standards for information security and can demonstrate their compliance.

It is about securing the supply change and managing risks that are outside of your direct control.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

ISO 27001 Supplier Security Policy Template

The ISO 27001 Supplier Security Policy is pre written and ready to go. It is designed to save you over 8 hours of work. ISO 27001 templates are an absolute time and life saver.

ISO 27001 Third Party Supplier Security Policy Template

What is the Purpose of the ISO 27001 Supplier Security Policy

The purpose of the ISO 27001 Supplier Security Policy is to ensure third party suppliers can demonstrate compliance with industry standards for information security for the products and services that we have purchased from them.

What it the ISO 27001 Supplier Security Policy Principle?

Suppliers and prioritised based on risk and business need and those of a high priority must have industry standard certifications for information security or be managed via risk management.

Why is an ISO 27001 Supplier Security Policy Important?

The Supplier Security policy is important as it sets out clearly and in written form what you expect to happen. If you don’t tell people what you expect of them then how can you expect them to do it? Communicating what is expected is a key step in any HR disciplinary process with many not being enforceable or actionable if you have not told people what to do and got them to accept that they understand what is being asked. The ISO 27001 standard wants you to have the Supplier Security policy in place, communicated, and accepted by staff as part of your ISO 27001 certification. It actually forms part of a wider set of required information security policies that are all included in the ISO 27001 toolkit.

What should a ISO 27001 Supplier Security Policy Contain

The ISO 27001 Supplier Security Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example acceptable use policy table of contents would look something like this:

1 Document Version Control
2 Document Contents Page
3 Third Party Supplier Security Policy
3.1 Purpose
3.2 Scope
3.3 Principle
3.4 Third Party Supplier Register
3.5 Third Party Supplier Audit and Review
3.6 Third Party Supplier Selection
3.7 Third Party Supplier Contracts, Agreements and Data Processing Agreements
3.8 Third Party Supplier Security Incident Management
3.9 Third Party Supplier End of Contract
4   Policy Compliance
4.1 Compliance Measurement

4.2 Exceptions

4.3 Non-Compliance

4.4 Continual Improvement
5   Areas of the ISO27001 Standard Addressed

How to write an ISO 27001 Supplier Security Policy

1. Identify your suppliers

Identify what suppliers your company has. Once we know what suppliers we have we know what we need to manage.

The two methods I recommend for identifying suppliers are:

  1. Speak to finance for everyone you have paid in the last 18 months and then sanitise that list for suppliers that provide goods and services to the ISO 27001 In Scope ‘thing’ you are getting ISO 27001 certified.
  2. Speak to each department, especially IT, marketing and sales who often use suppliers and do not follow the normal processes. It is not unusual for suppliers to be engaged and paid on credit cards, company cards and reclaimed via expenses and therefore will potentially not appear on the finance list of suppliers.

2. Prioritise your suppliers

Once you identify what assets you rely on to conduct business priorities them based on the importance to the business, the classification of the data that is stored, processed or transmitted through them and the risk they pose to you. Prioritising assets allows us to focus our efforts on the protection of the things that are most important to us. Consider the split between production systems and end point devices.

3. Record your suppliers

Create a record of your suppliers. You can create this from scratch or get a copy of the ISO 27001 supplier security register.

3. Create your supplier audit schedule

Based on the supplier and its priority create an audit schedule. The usual practice is to audit suppliers at least annually.

4. Audit your suppliers

Create your supplier audit process. As a minimum this process will check that you have a legally binding agreement, such as a contract, in place with the the supplier. That the agreement includes commitments for information security. In addition you will get a copy of industry standard certifications and check that they are in date and cover the services that you have acquired from them.

5. Communicate the supplier security policy to appropriate staff

Consider as part of your required communication plan the different ways and timings that are appropriate to you to communicate the supplier security policy. Make sure it is stored somewhere that people can easily access it at any time and that they can, indeed, access it.

6. Get evidence that the staff have accepted the Supplier Security Policy

Using your acceptance methodology get staff to accept that they have read and understand the policy and accept its terms. Maintain evidence of this for future audit and potential disciplinary process.

7. Manage Exceptions

There may be suppliers that you can get certificates or assurance for. These should be identified, recorded, agreed and managed via risk management with effective compensating controls in place.

ISO 27001 Supplier Security Policy Example

An ISO 27001 Supplier Security Policy example would look like this extract:

ISO 27001 Supplier Security Policy Example 1
ISO 27001 Supplier Security Policy Example 2
ISO 27001 Supplier Security Policy Example 5

You can view the ISO 27001 Supplier Security Policy PDF

What are the benefits of an ISO 27001 Supplier Security Policy?

Other that your ISO 27001 certification requiring the following are benefits of having the ISO 27001 Supplier Security Policy:

  1. Improved security: Your suppliers will be implementing best practice for information security reducing the likelihood and impact of an attack
  2. Reduced risk: Having suppliers that are managing information security will reduce the risk of a data breach.
  3. Improved compliance: Standards and regulations require suppliers to manage information security effectively
  4. Reputation Protection: In the event of a breach having effective supplier management will reduce the potential for fines and reduce the PR impact of an event

Who is responsible for the ISO 27001 Supplier Security Policy?

Supplier Management is the responsibility of the Supplier Manager.

If you do not have a dedicated supplier manager then this role often falls the finance team with accountability being with the CFO.

Stuart - High Table - ISO27001 Ninja - 3

What are examples of a violation of the ISO 27001 Supplier Security Policy?

Examples of where the policy can fail or violations of the ISO 27001 Supplier Security Policy can include:

  1. Not having a full list of suppliers. Not knowing what you are suppliers are means you cannot protect them
  2. Suppliers cannot evidence information security best practice. This is usually that they do not have industry standard certifications. In this case the violation occurs if you are not managing them via risk management and cannot evidence the risk management is in place.
  3. Not prioritising suppliers based on risk.
  4. Not managing exceptions. There maybe suppliers that cannot be secured and this will require special management and compensating controls.

What are the consequences of violating the ISO 27001 Supplier Security Policy?

Not getting assurance that suppliers are effectively managing information security can have severe consequences. We rely heavily on our suppliers. The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue and in the most extreme cases risk to life and closure of your organisation.

How do you monitor the effectiveness of the ISO 27001 Supplier Security Policy?

The approaches to monitoring the effectives of supplier management include:

  1. Reporting on the status of suppliers, contracts and their industry standard security certificates
  2. Internal audit of the supplier process
  3. External audit of the supplier process
  4. Review of suppliers for anomalies in operation

ISO 27001 and the ISO 27001 Supplier Security Policy

The Supplier Security Policy satisfies the following clauses in ISO 27001:

ISO 27001 Annex A Control 5.19 Information security in supplier relationships

ISO 27001 Annex A Control 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A Control 5.21 Managing information security in the ICT supply chain

ISO 27001 Annex A Control 5.22 Monitoring, review and change management of supplier services

ISO 27001 Annex A Control 5.23 Information security for use of cloud services

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing