A supplier register is a record of all of your vendors, suppliers and third parties. It captures some key information about them and it is used to manage the information security risk that they pose to you.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Supplier Register Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to Implement It
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 Toolkit Can Help
- Information Security Standards That Need It
- List of Relevant ISO 27001:2022 Controls
- ISO 27001 Supplier Register Example
- ISO 27001 Supplier Register FAQ
What is it?
An ISO 27001 Supplier Register is basically a list you keep of all the companies and people you do business with who handle your sensitive data. It’s a simple way to stay organised and make sure you know who has access to your information. Think of it as a detailed contacts list specifically for your business partners.
Applicability to Small Businesses, Tech Startups, and AI Companies
This supplier register is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: You probably use services like accounting software (think QuickBooks) or cloud storage (like Dropbox). You need to list these suppliers to keep track of your data.
- Tech Startups: You rely on many third-party tools, like customer relationship management (CRM) software (Salesforce), hosting providers (AWS), or payment processors (Stripe). It’s super important to know how these companies are protecting your customers’ data.
- AI Companies: You might use external data providers or cloud services to train your models. Your register would include these suppliers to ensure the data you’re using is handled securely and responsibly.
ISO 27001 Supplier Register Template
The ISO 27001:2022 Supplier Register Template that is pre built and ready to go and comes with a step by step guide on how to manage vendors and suppliers in an ISO 27001 compliant way.
Why you need it
You need it to show that you’re being responsible with your data. ISO 27001 is all about protecting information, and this register helps you prove to auditors and customers that you’re taking security seriously. It’s a key part of your risk management plan.
When you need it
You need to start this register as soon as you begin working with any external company that handles your data. You’ll need to keep it updated whenever you add or remove a supplier. It’s a living document!
Who needs it?
You need this if your company handles any kind of sensitive information. Whether you’re a big corporation or a small team, if you share data with other businesses, this register is a must.
Where you need it
This register should be part of your company’s information security management system (ISMS). You can keep it in a simple spreadsheet, a database, or even a dedicated software tool. The important thing is that it’s easily accessible to the people who need it.
How to write it
Start with a simple table. Include columns for:
- Supplier Name: The name of the company.
- Contact Person: Who you talk to there.
- Description of Service: What they do for you.
- Type of Data Shared: What kind of information you give them (e.g., customer names, financial data).
- Security Controls: What security measures they have in place (e.g., certifications like ISO 27001).
How to Implement It
- Find all your suppliers: Make a list of every company you share data with.
- Gather the info: Fill out your register with the details for each supplier.
- Review regularly: Check your register at least once a year to make sure it’s up to date.
Examples of using it for small businesses
Imagine you run a small online shop. Your supplier register might include:
- Stripe: For processing credit card payments. You share customer payment information.
- Shopify: Your e-commerce platform. You share customer names, addresses, and order details.
Examples of using it for tech startups
Let’s say you’ve built a new app. Your register might have:
- Amazon Web Services (AWS): Your cloud provider. You share all your app data.
- Slack: Your team communication tool. You share internal company conversations and files.
Examples of using it for AI companies
If you’re developing an AI for medical images, your register could list:
- External Data Provider: A company that gives you medical image data for training.
- Google Cloud: Where you store and process all your training data.
How the ISO 27001 Toolkit Can Help
An ISO 27001 toolkit includes pre-made templates for a supplier register. It can save you time and make sure you’ve covered all the necessary information. It’s like having a helpful guide to walk you through the process.
Information Security Standards That Need It
This supplier register is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of Relevant ISO 27001:2022 Controls
The ISO 27001:2022 standard has specific controls that relate to supplier management and the need for a supplier register. Some of the most important ones include:
- ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships
- ISO 27001:2022 Annex A 5.20 Addressing Information Security Within Supplier Agreements
- ISO 27001:2022 Annex A 5.21 Managing Information Security In The ICT Supply Chain
- ISO 27001:2022 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services
ISO 27001 Supplier Register Example
The following is an example of an ISO 27001 supplier register used for ISO 27001 vendor assessment and ISO 27001 third party risk assessment.
ISO 27001 Supplier Register FAQ
- Do I have to list my coffee supplier? No, you only need to list suppliers who handle your sensitive data.
- What if a supplier doesn’t have a security certification? You should still list them and note their security measures, even if they’re not certified.
- How often should I update the register? At least once a year, or whenever you add or remove a supplier.
- Can I use a simple spreadsheet? Yes, a spreadsheet works perfectly well.
- Is this a legal requirement? It’s a requirement for ISO 27001 certification, and helps you meet legal duties like GDPR.
- Who is responsible for the register? A person or team within your company should be responsible for keeping it updated.
- What’s the biggest mistake people make with this? Not keeping it updated!
- Can I share a single register for multiple certifications? Yes, this register can help you meet requirements for other standards.
- What about freelancers? Yes, if they handle your data, you should include them.
- What is a “supplier”? Anyone outside your company who provides a service and handles your data.
- Do I need to audit my suppliers? ISO 27001 doesn’t require you to, but it’s good practice.
- Is this just for large companies? No, it’s for all sizes.
- What if my supplier is in a different country? You still need to list them and be aware of their data protection laws.
- Where can I find more info? Check the official ISO 27001 documentation or certified consultants.
- What’s the best tool to use? Whatever works for you – a spreadsheet, a simple database, or specialised software.
