Onboarding a new supplier? Did you know that these third-party relationships represent the biggest risk to your organisation when it comes to information security?
Carrying out tedious risk assessments and completing third-party supplier questionnaires a mile long sounds like a slog, we get it. But if you don’t get serious about your third-party supplier security, you’re heading for data breach hell.
We’re here to take you to ISO 27(001) heaven. (That’ll make sense later.)
According to new research from SecurityScorecard, the global leader in cybersecurity ratings, and the Cyentia Institute, an independent cybersecurity research firm, 98% of organisations have a relationship with at least one third-party supplier that’s had a data breach in the last two years. Crazy sh*t, isn’t it?
Moral of the story? Your company’s security posture is only as strong as its weakest third-party. If anything highlights the importance of third-party risk management, THIS IS IT!
I’m Stuart Barker: ISO 27001 Ninja, information security specialist and Founder of High Table – the fastest growing ISO 27001 company, globally. At High Table, we’re all about sharing our knowledge and offering industry advice to businesses like yours in the information security space. Keep reading to find out everything you need to know about the importance of third-party security, and how ISO 27001 could be the answer to your prayers.
Why third-party supplier security matters
The Ponemon Institute published research in 2021 called “A Crisis in Third-party Remote Access Security”. This research found that throughout the previous year, security breaches had occurred in 44% of the 627 firms surveyed. In 74% of those organisations, the breaches occurred because third-parties were granted toomuch access to confidential information.
Researchers discovered that 51% of these firms said they did not carefully vet each third-party’s security and privacy protocols before granting them access to sensitive data.
Woah… Let’s just stop right there for a minute. DAFUK?! Who are these people!?
Back in the room. Don’t be these people. Data breaches are expensive! So, what can we do to avoid them when it comes to third-party suppliers?
Vetting your third-party suppliers
When onboarding a new supplier, doing your due diligence and checking that they have a robust information security posture (or not) is a must. The downside: it can be a lengthy process.
What is a third-party supplier security questionnaire?
A supplier risk assessment questionnaire (also known as a third-party risk assessment questionnaire or a vendor risk management questionnaire) is designed to gather information about a potential supplier, identify weaknesses that could lead to a data breach, and to assess their capabilities, practices, and their compliance with your organisation’s requirements.
The questionnaire usually covers a range of topics related to the supplier’s operations, including:
- General Information: This section collects basic details about the supplier, such as their name, address and contact information.
- Business Operations: These questions ask about the supplier’s business activities, years in service, and any relevant certifications they hold.
- Financial Stability: These questions assess the supplier’s financial health, including their annual revenue, financial statements, and financial soundness.
- Quality Management: This section analyses the supplier’s quality management systems and processes, including any certifications they have.
- Information Security: These questions focus on the supplier’s information security practices, data protection measures, access controls, incident response procedures, and any certifications or compliance frameworks they adhere to, like ISO 27001.
- Privacy and Data Protection: It explores how the supplier handles personal data, their compliance with data protection regulations like GDPR, and any contractual safeguards they have in place for data protection and privacy.
- Business Continuity and Disaster Recovery: This section evaluates the supplier’s preparedness for disruptions, including their business continuity plans, disaster recovery strategies, and backup procedures.
- Compliance and Ethics: These questions determine the supplier’s compliance with legal and regulatory requirements, ethical standards, and their approach to anti-corruption and anti-bribery measures.
- Risk Management: This section indicates the supplier’s approach to identifying, assessing, and mitigating risks in their operations, including their supplier risk management processes.
- References and Past Performance: This section may request references from the supplier’s previous clients or seek information on their past performance, including any instances of non-compliance or legal issues.
We’re with you – this is a long and complicated process. But, if your supplier is already ISO 27001 certified, this changes the game for you. Why? In order to comply with the standard, an organisation needs to evidence that they are doing all of the above.
This saves you time and effort going through a prolonged authentication process to approve them as a trusted supplier, therefore it’s in a supplier’s best interest to get their ISO 27001 certification.
Are we saying you can save time and protect your organisation from expensive security incidents by only engaging third-parties who are ISO 27001 accredited? Damn right we are.
What is ISO 27001?
ISO 27001 is the leading international standard for information security. Simply, it’s a set of guidelines and best practices required to create, maintain, and continually develop an effective information security management system (ISMS).
An ISMS is a structure of policies, procedures and controls designed to monitor and protect an organisation’s sensitive information via effective risk management.
An ISMS guarantees the confidentiality, integrity, and availability of information by identifying and mitigating security risks within organisations.
Good cyber hygiene and information security management is a small price to pay when considering the financial consequences of a catastrophic security incident – so, implementing and certifying to ISO 27001 is probably the wisest decision you can make as a business owner, and that suppliers can make when demonstrating their commitment to managing risks and protecting your sensitive data.
Manage your suppliers with the ISO 27001 Supplier Register
Now it’s time to explore how you can manage your third-party security effectively. Let’s dive into the supplier register. This consists of a list of all of the suppliers, vendors and partners that store, process or transmit your data.
It’s important that third-parties provide assurance that they are following best practices for information security.
The easiest way to achieve this is to check that there’s an up to date and in date:
- contract that includes clauses for information security and data protection.
- industry-level certification that covers the products and / or services you receive – for instance, an ISO 27001 certification can provide us with adequate assurance.
The contract and the industry certification is noted and recorded in the supplier register. You can also record what they do for you and how reliant upon them your organisation is.
The supplier register captures key information about the supplier and is used to manage the supplier reviews and supplier assurance processes. This will lead to how you manage them.
You will know:
- Who your suppliers are
- What services they provide for your organisation
- If there’s a contract in place
- If they have information security certificates
- What data you share with them
- When you last reviewed them and when you will next review them
Securing the supply chain in ISO 27001
Suppliers are the biggest risk to your organisation. They provide valuable products, services and resources but are completely outside of your control.
You trust them with your most valuable information, as well as your clients’ information – and you expect them to do the right thing… but in today’s world, expectation doesn’t cut the mustard.
You can’t protect what you can’t control, and this is where effective third-party supplier management comes in.
The Third Party Supplier Policy sets out how to manage the risk associated with your suppliers.
The Third Party Supplier Register is a tool to actively manage them.
(You could waste days writing these bad boys yourself, but why would you when we’ve ploughed two decades worth of information security genius into these ready-to-edit ISO 27001 templates to help you? You’re welcome.)
ISO 27001 Third Party Supplier Assurance
The level of assurance required is based on risk.
Risk is determined by a number of factors including how critical they are to your operation and how much confidence you can evidence that they are doing the right thing for information security.
As part of the assurance process, make sure that every supplier in the register is reviewed annually.
We cover how the supplier fits into the information security management system in the ISO 27001 Templates Documents Ultimate Guide.
Download the best ISO 27001 Supplier Templates in the industry
ISO 27001 requirements for an ISO 27001 Supplier Register
ISO 27001 has a requirement that you must effectively manage your third-party suppliers and ensure the security of the supply chain. The ISO 27001 standard includes an annex called Annex A.
Annex A is a standard in its own right called ISO 27002. ISO 27001 Annex A / ISO 27002 is a list of ISO 27001 controls that the organisation must implement, and supplier management is one of those. The ISO 27001 Annex A / ISO 27002 changed in 2022.
ISO 27001 Annex A 5.19 Information Security In Supplier Relationships
Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
Here, the role of the ISO 27001 supplier register is to identify and record the risks associated with the supplier. It captures a risk score that is used as part of risk management.
ISO 27001 Annex A 5.20 Addressing Information Security in Supplier Agreements
Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.
In the ISO 27001 supplier register, you record whether you have a contract that covers the products or services that you’re receiving. To implement this, you’ll also have a local copy of the contract that you can access easily. You’ll also need to check that the contract includes information security requirements. It’s crucial to have an in-date contract that meets the requirements of this clause before you go for ISO 27001 certification audit.
ISO 27001 Annex A 5.21 Managing Information Security in the ICT Supply Chain
Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
To apply to processes and procedures, you’ll need a list of the suppliers.
ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services
The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
There are many types of review that can be performed on your suppliers. As a minimum, your review will detail that you have a relevant, in-date contract with appropriate clauses, and that you have insurance for information security practices (an in-date copy of an appropriate information security certificate, such as an ISO 27001) that covers the products or services you receive. These reviews are captured and recorded in the ISO 27001 supplier register.
Keep your third-party suppliers in check with High Table
And that’s a wrap! The complete lowdown on why managing your third-party supplier security is imperative when it comes to protecting your business from expensive data breaches. If you need more guidance on ISO 27001, or how best to safeguard your organisation, book your free 30-minute consultation with the ISO 27001 Ninja.