ISO 27001: The Importance Of Third-Party Supplier Security Management 

Home / ISO 27001 / ISO 27001: The Importance Of Third-Party Supplier Security Management 

Onboarding a new supplier? Did you know that these third-party relationships represent the biggest risk to your organisation when it comes to information security?

Carrying out tedious risk assessments and completing third-party supplier questionnaires a mile long sounds like a slog, we get it. But if you don’t get serious about your third-party supplier security, you’re heading for data breach hell.

We’re here to take you to ISO 27(001) heaven. (That’ll make sense later.)


According to new research from SecurityScorecard, the global leader in cybersecurity ratings, and the Cyentia Institute, an independent cybersecurity research firm, 98% of organisations have a relationship with at least one third-party supplier that’s had a data breach in the last two years. Crazy sh*t, isn’t it?

Moral of the story? Your company’s security posture is only as strong as its weakest third-party. If anything highlights the importance of third-party risk management, THIS IS IT!

I’m Stuart Barker: ISO 27001 Ninja, information security specialist and Founder of High Table – the fastest growing ISO 27001 company, globally. At High Table, we’re all about sharing our knowledge and offering industry advice to businesses like yours in the information security space. Keep reading to find out everything you need to know about the importance of third-party security, and how ISO 27001 could be the answer to your prayers

Why third-party supplier security matters

The Ponemon Institute published research in 2021 called “A Crisis in Third-party Remote Access Security”. This research found that throughout the previous year, security breaches had occurred in 44% of the 627 firms surveyed. In 74% of those organisations, the breaches occurred because third-parties were granted toomuch access to confidential information.

Researchers discovered that 51% of these firms said they did not carefully vet each third-party’s security and privacy protocols before granting them access to sensitive data.

Woah… Let’s just stop right there for a minute. DAFUK?! Who are these people!?

Back in the room. Don’t be these people. Data breaches are expensive! So, what can we do to avoid them when it comes to third-party suppliers? 

Vetting your third-party suppliers

When onboarding a new supplier, doing your due diligence and checking that they have a robust information security posture (or not) is a must. The downside: it can be a lengthy process. 

What is a third-party supplier security questionnaire?

A supplier risk assessment questionnaire (also known as a third-party risk assessment questionnaire or a vendor risk management questionnaire) is designed to gather information about a potential supplier, identify weaknesses that could lead to a data breach, and to assess their capabilities, practices, and their compliance with your organisation’s requirements. 

The questionnaire usually covers a range of topics related to the supplier’s operations, including:

  1. General Information: This section collects basic details about the supplier, such as their name, address and contact information.
  2. Business Operations: These questions ask about the supplier’s business activities, years in service, and any relevant certifications they hold.
  3. Financial Stability: These questions assess the supplier’s financial health, including their annual revenue, financial statements, and financial soundness.
  4. Quality Management: This section analyses the supplier’s quality management systems and processes, including any certifications they have.
  5. Information Security: These questions focus on the supplier’s information security practices, data protection measures, access controls, incident response procedures, and any certifications or compliance frameworks they adhere to, like ISO 27001.
  6. Privacy and Data Protection: It explores how the supplier handles personal data, their compliance with data protection regulations like GDPR, and any contractual safeguards they have in place for data protection and privacy.
  7. Business Continuity and Disaster Recovery: This section evaluates the supplier’s preparedness for disruptions, including their business continuity plans, disaster recovery strategies, and backup procedures.
  8. Compliance and Ethics: These questions determine the supplier’s compliance with legal and regulatory requirements, ethical standards, and their approach to anti-corruption and anti-bribery measures.
  9. Risk Management: This section indicates the supplier’s approach to identifying, assessing, and mitigating risks in their operations, including their supplier risk management processes.
  10. References and Past Performance: This section may request references from the supplier’s previous clients or seek information on their past performance, including any instances of non-compliance or legal issues.

We’re with you – this is a long and complicated process. But, if your supplier is already ISO 27001 certified, this changes the game for you. Why? In order to comply with the standard, an organisation needs to evidence that they are doing all of the above

This saves you time and effort going through a prolonged authentication process to approve them as a trusted supplier, therefore it’s in a supplier’s best interest to get their ISO 27001 certification.

Are we saying you can save time and protect your organisation from expensive security incidents by only engaging third-parties who are ISO 27001 accredited? Damn right we are.

What is ISO 27001?

ISO 27001 is the leading international standard for information security. Simply, it’s a set of guidelines and best practices required to create, maintain, and continually develop an effective information security management system (ISMS).

An ISMS is a structure of policies, procedures and controls designed to monitor and protect an organisation’s sensitive information via effective risk management.

An ISMS guarantees the confidentialityintegrity, and availability of information by identifying and mitigating security risks within organisations.

Good cyber hygiene and information security management is a small price to pay when considering the financial consequences of a catastrophic security incident – so, implementing and certifying to ISO 27001 is probably the wisest decision you can make as a business owner, and that suppliers can make when demonstrating their commitment to managing risks and protecting your sensitive data.

Manage your suppliers with the ISO 27001 Supplier Register

Now it’s time to explore how you can manage your third-party security effectively. Let’s dive into the supplier register. This consists of a list of all of the suppliers, vendors and partners that store, process or transmit your data.

It’s important that third-parties provide assurance that they are following best practices for information security.

The easiest way to achieve this is to check that there’s an up to date and in date:

  • contract that includes clauses for information security and data protection.
  • industry-level certification that covers the products and / or services you receive – for instance, an ISO 27001 certification can provide us with adequate assurance.

The contract and the industry certification is noted and recorded in the supplier register. You can also record what they do for you and how reliant upon them your organisation is.

The supplier register captures key information about the supplier and is used to manage the supplier reviews and supplier assurance processes. This will lead to how you manage them.

You will know:

  • Who your suppliers are
  • What services they provide for your organisation
  • If there’s a contract in place
  • If they have information security certificates
  • What data you share with them
  • When you last reviewed them and when you will next review them

Securing the supply chain in ISO 27001

Suppliers are the biggest risk to your organisation. They provide valuable products, services and resources but are completely outside of your control.

You trust them with your most valuable information, as well as your clients’ information – and you expect them to do the right thing… but in today’s world, expectation doesn’t cut the mustard.

You can’t protect what you can’t control, and this is where effective third-party supplier management comes in.

The Third Party Supplier Policy sets out how to manage the risk associated with your suppliers.

The Third Party Supplier Register is a tool to actively manage them.

(You could waste days writing these bad boys yourself, but why would you when we’ve ploughed two decades worth of information security genius into these ready-to-edit ISO 27001 templates to help you? You’re welcome.)

ISO 27001 Third Party Supplier Assurance

The level of assurance required is based on risk.

Risk is determined by a number of factors including how critical they are to your operation and how much confidence you can evidence that they are doing the right thing for information security.

It may be that you add them to the risk register and manage them via risk management.

As part of the assurance process, make sure that every supplier in the register is reviewed annually.

We cover how the supplier fits into the information security management system in the ISO 27001 Templates Documents Ultimate Guide.

Download the best ISO 27001 Supplier Templates in the industry

These ISO 27001 templates are part of the ISO 27001 Toolkit and can be downloaded individually as part of your supplier management. At High Table, we aim to please!

ISO 27001 requirements for an ISO 27001 Supplier Register

ISO 27001 has a requirement that you must effectively manage your third-party suppliers and ensure the security of the supply chain. The ISO 27001 standard includes an annex called Annex A. 

Annex A is a standard in its own right called ISO 27002. ISO 27001 Annex A / ISO 27002 is a list of ISO 27001 controls that the organisation must implement, and supplier management is one of those. The ISO 27001 Annex A / ISO 27002 changed in 2022.

You can learn more in the ISO 27001 Supplier Register Ultimate Guide but here is what ISO 27002 states about supplier management and the ISO 27001 supplier register:

ISO 27001 Annex A 5.19 Information Security In Supplier Relationships

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships

Here, the role of the ISO 27001 supplier register is to identify and record the risks associated with the supplier. It captures a risk score that is used as part of risk management.

ISO 27001 Annex A 5.20 Addressing Information Security in Supplier Agreements

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

ISO 27001:2022 Annex A 5.20 Addressing Information Security in Supplier Agreements

In the ISO 27001 supplier register, you record whether you have a contract that covers the products or services that you’re receiving. To implement this, you’ll also have a local copy of the contract that you can access easily. You’ll also need to check that the contract includes information security requirements. It’s crucial to have an in-date contract that meets the requirements of this clause before you go for ISO 27001 certification audit.

ISO 27001 Annex A 5.21 Managing Information Security in the ICT Supply Chain

Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

ISO 27001:2022 Annex A 5.21 Managing Information Security in the ICT Supply Chain

To apply to processes and procedures, you’ll need a list of the suppliers.

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services

The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

ISO 27001:2022 Annex A 5.22 Monitoring, review and change management of supplier services

There are many types of review that can be performed on your suppliers. As a minimum, your review will detail that you have a relevant, in-date contract with appropriate clauses, and that you have insurance for information security practices (an in-date copy of an appropriate information security certificate, such as an ISO 27001) that covers the products or services you receive. These reviews are captured and recorded in the ISO 27001 supplier register.

Keep your third-party suppliers in check with High Table

And that’s a wrap! The complete lowdown on why managing your third-party supplier security is imperative when it comes to protecting your business from expensive data breaches. If you need more guidance on ISO 27001, or how best to safeguard your organisation, book your free 30-minute consultation with the ISO 27001 Ninja. 

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing