Introduction
In this ultimate guide I show you everything you need to know about the ISO 27001 Supplier Security Policy and exactly what you need to do to satisfy it to gain ISO 27001 certification.
We will get to grips with what supplier management is, understand why organisations need a Supplier Security Policy, show you how to write one, and let you in on trade secretโs thatโll save you hours of time and effort, simply by using this ISO 27001 Supplier Security Template.
Table of contents
- Introduction
- What is ISO 27001 Supplier Security?
- What is an ISO 27001 Supplier Security Policy?
- ISO 27001 Supplier Security Policy Purpose
- ISO 27001 Supplier Security Policy Principle
- How to write an ISO 27001 Supplier Security Policy
- ISO 27001 Supplier Security Policy Template
- ISO 27001 Supplier Security Policy Example
- How to manage suppliers in ISO 27001
- ISO 27001 Supplier Security Policy FAQ
- Further Reading
What is ISO 27001 Supplier Security?
ISO 27001 supplier security is securing the supply chain. Organisation rely on third party suppliers to provide products and services that they use as part of their solution. The security of these suppliers is outside of the control of the organisation yet it represents one of the biggest risk to information security and the protection of data.
Supplier security is about putting in a policy and processes to manage the risks that suppliers can pose to information security and to be able to gain a level of assurance that they are doing the right thing based on the organisations risk appetite.
What is an ISO 27001 Supplier Security Policy?
Theย ISO 27001 Supplier Security Policyย sets out the guidelines and framework for how you identify, prioritise, test and monitor third party suppliers.
Theย Supplier Security Policyย addresses known vulnerabilities by ensuring that third party suppliers follow and meet best practice standards for information security and can demonstrate their compliance.
It is about securing the supply change and managing risks that are outside of your direct control and it is one of theย ISO 27001 policiesย required by theย ISO 27001ย standard forย ISO 27001 certification.
ISO 27001 Supplier Security Policy Purpose
The purpose of theย ISO 27001 Supplier Security Policyย is to ensure third party suppliers can demonstrate compliance with industry standards for information security for the products and services that we have purchased from them.
ISO 27001 Supplier Security Policy Principle
Suppliers and prioritised based on risk and business need and those of a high priority must have industry standard certifications for information security or be managed via risk management.
How to write an ISO 27001 Supplier Security Policy
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Supplier Security Policy
- Write the ISO 27001 Supplier Security Policy Contents Page
1 Document Version Control
2ย Document Contents Page
3ย Third Party Supplier Security Policy
3.1ย Purpose
3.2ย Scope
3.3ย Principle
3.4ย Third Party Supplier Register
3.5ย Third Party Supplier Audit and Review
3.6ย Third Party Supplier Selection
3.7ย Third Party Supplier Contracts, Agreements and Data Processing Agreements
3.8ย Third Party Supplier Security Incident Management
3.9ย Third Party Supplier End of Contract
4ย ย ย Policy Compliance
4.1ย Compliance Measurementโจ
4.2 Exceptionsโจ
4.3 Non-Complianceโจ
4.4ย Continual Improvement
5 ย Areas of the ISO27001 Standard Addressed - Write the ISO 27001 Supplier Security Policy Purpose
The purpose of this policy is to ensure the data security requirements of third-party suppliers and their sub-contractors and the supply chain.
- Write the ISO 27001 Supplier Security Policy Principle
Third party suppliers meet the requirements of the company, legislation, and regulation for data security.
- Write the ISO 27001 Supplier Security Policy Scope
All employees and third-party users.
All third-party suppliers that process, store or transmit confidential or personal data. - Explain the third party supplier register
ย All third parties are registered and recorded in the Third-Party Supplier Register.
Third parties are assessed for criticality to the business.
Third parties are classified based on the data processed, stored, or transmitted.
In addition, the following is captured as a minimum:
– Supplier Name and contact details
– What they do for us
– What data they process store or transmit
– Whether we have a contract and a copy of the contract
– What assurance we have over their data security - Describe the supplier audit and review approach
Each third party is subject to audit and review of data security in line with the Third-Party Audit and Review process.
The level of audit and review is based on risk. - Lay out the supplier selection criteria
Third parties are selected based on their ability to meet the needs of the business.
Before engaging a third-party supplier, data security due diligence is carried out that includes
– An acceptable level of data security with identified, recorded, and managed risks.
– Appropriate references.
– Appropriate certifications.
– Appropriate supplier agreements and contracts that include data security requirements.
– Legal and regulatory compliance. - Record the requirements for supplier contacts and agreements
An appropriate contract, agreement and / or Data Processing Agreement must be in place and enforceable before engaging and third-party supplier to process, store or transmit confidential or personal information.
Third party supplier contracts and agreements include the right to audit.
All company policies apply to the third-party supplier.
The use by third party suppliers of sub-contractors must be approved by a senior manager and the sub-contractor is subject to the same terms and company policies as the third-party supplier.
All third-party suppliers are assessed for their requirements under GDPR and where appropriate privacy impact assessments and data processing agreements are in place. - Explain the roles of supplier incident management
Third party suppliers must have a Security Incident Management process in place.
Third party supplier security incidents that impact confidential or personal information must be reported within 12 hours elapsed of becoming aware of the incident.
Third party supplier security incidents are managed as part of the incident management process. - Describe what happens at the end of supplier contracts
At the end of the contract the third party will confirm in writing that it has met it contractual and legal obligations for the destruction of company confidential and personal information.
All access to systems and information is revoked.
All assets are returned to the company. - Describe the process for policy compliance
Set how compliance with the policy will be measured and enforced.
ISO 27001 Supplier Security Policy Template
Theย ISO 27001 Supplier Security Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in theย ISO 27001 toolkit.
ISO 27001 Supplier Security Policy Example
Anย ISO 27001 Supplier Security Policyย example would look like this extract:
How to manage suppliers in ISO 27001
1. Identify your suppliers
Identify what suppliers your company has. Once we know what suppliers we have we know what we need to manage.
The two methods I recommend for identifying suppliers are:
- Speak to finance for everyone you have paid in the last 18 months and then sanitise that list for suppliers that provide goods and services to the ISO 27001 In Scope ‘thing’ you are getting ISO 27001 certified.
- Speak to each department, especially IT, marketing and sales who often use suppliers and do not follow the normal processes. It is not unusual for suppliers to be engaged and paid on credit cards, company cards and reclaimed via expenses and therefore will potentially not appear on the finance list of suppliers.
2. Prioritise your suppliers
Once you identify what assets you rely on to conduct business priorities them based on the importance to the business, the classification of the data that is stored, processed or transmitted through them and the risk they pose to you. Prioritising assets allows us to focus our efforts on the protection of the things that are most important to us. Consider the split between production systems and end point devices.
3. Record your suppliers
Create a record of your suppliers. You can create this from scratch or get a copy of the ISO 27001 supplier security register.
3. Create your supplier audit schedule
Based on the supplier and its priority create an audit schedule. The usual practice is to audit suppliers at least annually.
4. Audit your suppliers
Create your supplier audit process. As a minimum this process will check that you have a legally binding agreement, such as a contract, in place with the the supplier. That the agreement includes commitments for information security. In addition you will get a copy of industry standard certifications and check that they are in date and cover the services that you have acquired from them.
5. Communicate the supplier security policy to appropriate staff
Consider as part of your required communication plan the different ways and timings that are appropriate to you to communicate the supplier security policy. Make sure it is stored somewhere that people can easily access it at any time and that they can, indeed, access it.
6. Get evidence that the staff have accepted the Supplier Security Policy
Using your acceptance methodology get staff to accept that they have read and understand the policy and accept its terms. Maintain evidence of this for future audit and potential disciplinary process.
7. Manage Exceptions
There may be suppliers that you can get certificates or assurance for. These should be identified, recorded, agreed and managed via risk management with effective compensating controls in place.
ISO 27001 Supplier Security Policy FAQ
The following are benefits of having the ISO 27001 Supplier Security Policy:
Improved security: Your suppliers will be implementing best practice for information security reducing the likelihood and impact of an attack
Reduced risk: Having suppliers that are managing information security will reduce the risk of a data breach.
Improved compliance: Standards and regulations require suppliers to manage information security effectively
Reputation Protection: In the event of a breach having effective supplier management will reduce the potential for fines and reduce the PR impact of an event
The Supplier Security policy is important as it sets out clearly and in written form what you expect to happen. If you donโt tell people what you expect of them then how can you expect them to do it? Communicating what is expected is a key step in any HR disciplinary process with many not being enforceable or actionable if you have not told people what to do and got them to accept that they understand what is being asked. The ISO 27001 standard wants you to have the Supplier Security policy in place, communicated, and accepted by staff as part of your ISO 27001 certification. It actually forms part of a wider set of required information security policies that are all included in the ISO 27001 toolkit.
Supplier Management is the responsibility of the Supplier Manager.
If you do not have a dedicated supplier manager then this role often falls the finance team with accountability being with the CFO.
Examples of where the policy can fail or violations of theย ISO 27001 Supplier Security Policyย can include:
Not having a full list of suppliers. Not knowing what you are suppliers are means you cannot protect them
Suppliers cannot evidence information security best practice. This is usually that they do not have industry standard certifications. In this case the violation occurs if you are not managing them via risk management and cannot evidence the risk management is in place.
Not prioritising suppliers based on risk.
Not managing exceptions. There maybe suppliers that cannot be secured and this will require special management and compensating controls.
Not getting assurance that suppliers are effectively managing information security can have severe consequences. We rely heavily on our suppliers. The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue and in the most extreme cases risk to life and closure of your organisation.
The approaches to monitoring the effectives of supplier management include:
Reporting on the status of suppliers, contracts and their industry standard security certificates
Internal audit of the supplier process
External audit of the supplier process
Review of suppliers for anomalies in operation
Further Reading
The Supplier Security Policy satisfies the following clauses in ISO 27001:
ISO 27001 Annex A Control 5.19 Information security in supplier relationships
ISO 27001 Annex A Control 5.20 Addressing information security within supplier agreements
ISO 27001 Annex A Control 5.21 Managing information security in the ICT supply chain
ISO 27001 Annex A Control 5.22 Monitoring, review and change management of supplier services
ISO 27001 Annex A Control 5.23 Information security for use of cloud services