How to Conduct Effective Supplier Information Security Risk Management

The first and fundamental step in conducting effective supplier information security risk management is to identify and document a list of all suppliers that store, process or transmit your information.  This does not just include IT providers, such as software vendors, cloud providers, data storage providers, managed service providers (MSPs), etc., but any third party with access to your IT systems or infrastructure, or physical information (e.g., professional services firms, business process outsourcers, waste disposal organisations).

It is not uncommon for organisations to not be fully aware of all the suppliers they have in place, e.g., where the procurement function may still be maturing, and there are different methods for engaging with suppliers.  One of the most effective and practical ways of identifying your suppliers is to liaise with your finance department to establish which suppliers your organisation is paying.  This may not be a completely straightforward exercise, as there will be different contract terms for different suppliers, different aspects of renewal, or perhaps even some products/services (particularly from SaaS suppliers) that staff members are purchasing out of pocket and reclaiming the cost of through expenses (we don’t recommend this approach, but we do see this happening).

Once you have identified all of the suppliers that your organisation is engaging with, you will need to group them into categories based on common themes or control areas.  For example, an outsourced, remote call centre which processes personal data and has access to your systems and an organisation which comes on site to provide personnel will each require very different controls to manage the risks they pose.

Whilst there are some categories that are applicable to a great number of organisations, the categories you use to group your suppliers together will depend on the specifics of your organisation.  It may be that your organisation prohibits third-party connectivity to its networks or access to its systems and so there are no suppliers requiring controls in these areas; you need to specifically identify what aspects are common within your supplier base.

‍

The above image (taken from Abriska™ 27036, URM’s supplier risk management tool) demonstrates some of the categories you may be able to build for your supplier list.  The first category of ‘baseline security requirements’ will include aspects that are applicable to all the suppliers you have in place, such as understanding their staff information security training and awareness programme or requiring the suppliers to sign a non-disclosure agreement NDA.  The following categories can be selected depending on the products/services the suppliers provide, and each supplier may need to be assigned to multiple categories.  This enables you to tailor the list of questions you include in each supplier questionnaire based on the different risk categories they are assigned to, whilst also providing you with a level of consistency and repeatability, even if different staff members are conducting the supplier due diligence process for your various suppliers.

Having established the suppliers you have in place and the products/services they provide, you will now need to determine how much of a priority each supplier is based on the level of access they have to your systems and to sensitive information, grouping together those with the same criticality level.  For example, your priority scale may include:

• High-risk suppliers, which handle critical data (e.g., customer financial information and personally identifiable information or ‘PII’)
• Medium-risk suppliers, which have access to internal systems or user data
• Low-risk suppliers, which have minimal access to sensitive information.

If your organisation is among the growing number that uses managed service providers (MSPs), these suppliers will almost always fall into the ‘high-risk’ category, as they will often not only have access to and process your organisation’s information, but also manage a lot of the security controls on your behalf.

‍

‍

As demonstrated by the image above, each supplier should be assigned a criticality level, as well as other key elements such as the division or unit of your organisation the supplier is associated with, a relationship manager who is responsible for that supplier internally and will be key in determining the supplier’s criticality, and a supplier contact who will be completing the supplier questionnaire.

For this step, the overwhelming majority of organisations will rely on a questionnaire.  How this questionnaire looks will, once again, depend on your organisation and how it operates.  Some organisations will use extremely complex questionnaires containing various branches and a lot of questions that require free text answers rather than a simple ‘yes/no’ response, whilst other organisations may take a much more straightforward approach with mostly ‘yes/no’ and multiple-choice questions included.  Both approaches have their place and will be appropriate in different situations.  If your questionnaire includes a lot of free text questions, your supplier will need to spend more time formulating responses and more time and effort will be required on your side to analyse the answers provided.  As such, this type of questionnaire may be superfluous for suppliers with minimal or no access to your sensitive information.  However, for high-risk suppliers, including more free-text questions and spending extra time analysing their responses may be an appropriate and worthwhile approach.  

Aside from questionnaires, there are other ways of gathering information about your suppliers to understand risks, such as interrogating publicly-available information.  For example, if a prospective supplier’s website is out of date, this could suggest their patching may also not be up to date.  However, a questionnaire is generally the most effective method for gathering the necessary information to make informed judgements about supplier risk.  

To develop an effective question set, we would recommend following the best practice established by ISO 27001, the International Standard for Information Security Management Systems.  ISO 27002, the supporting standard to ISO 27001, is also incredibly useful for helping you to produce a set of questions, as it contains all of the best practice guidance for the different controls that are included in ISO 27001.  You can then use this guidance to develop a list of questions to ask your suppliers.  

Supplier assessments come in a range of formats, including spreadsheets.  There are pros and cons to this approach. There will be familiarity with Microsoft Excel and it’s a low financial investment, however it can be time consuming to analyse the results of a supplier assessment that has been conducted using a spreadsheet. There is also significant potential for human error, such as data entry mistakes and mistakes with formulas. Spreadsheets can also fail to scale with businesses as they expand, potentially leading to a single point of failure risk, for example.

Using online tools is a good alternative to relying on spreadsheets for your assessments.  The use of an online tool can increase reliability, repeatability, and consistency, lead to a more robust assessment, and can provide greater ownership and responsibility.   Online tools can also automate some of the process, and save your organisation a significant amount of time.  However, some tools can have a high price point, and may require an investment in training in order for staff members to become proficient in their use.

Once you have received the completed questionnaire from your suppliers, you will need to assess their responses and determine their risk levels.  Your assessment will depend on each supplier’s priority/criticality, and their question responses.  Based on this information, you will need to try and assess a level of risk.  The decision to engage with them or not will typically be taken by senior leadership and will depend on your risk treatment process.  

When assessing the completed questionnaire, you should review the question answers along with any evidence provided and score their response.  It is useful to group questions together by control to identify any areas of weakness, and analyse whether those areas of weakness are of concern to you.  It is also important to formalise a process to ensure consistency between assessments.

If you identify any suppliers that you need to use, but which have a significant risk, you will need to determine and implement appropriate risk treatment actions to mitigate those risks you have identified.  There are 4 overarching avenues for risk treatment that are available to you.

‍

‍

Reduce (Treat)

This approach involves implementing actions to reduce the likelihood or impact of the risk.  This could involve, for example, adding further internal controls around a supplier’s access to your systems, or requiring suppliers to implement multi-factor authentication (MFA) on their systems before they can access your environment.  

Accept (Tolerate)

Here, your organisation can choose to tolerate a risk if it falls within your risk appetite and the supplier’s services are critical to your operation.  

Share (Transfer)

This option may involve purchasing insurance or negotiating a contract with the supplier where it accepts liability for certain key elements or risks.

Avoid (Terminate)

A final option is to terminate the relationship with the supplier if the risk is considered be too high and cannot be effectively mitigated or transferred, and if the products/services being provided are not essential or can be provided by another organisation.

When conducting risk remediation activities, it may be extremely difficult (or impossible) to negotiate and enforce the supplier to implement controls on their side if the supplier in question is a large multinational (such as Microsoft).  However, when engaging a supplier of this size, you will often pay per security aspect, so will be able to pay an additional premium for accessing a higher level of security service.

If you need to conduct risk remediation activities yourself, we would recommend using best practice control sources, such as ISO 27001 and ISO 27002.  Within the ISO 27000 series, there is also ISO 27036 – Cybersecurity - Supplier relationships, which focuses on establishing a framework for conducting supplier risk management.

However, regardless of the source of your information security controls, you will need to identify and select those controls which address specific risks.  If most of the risks associated with a particular supplier are technical in nature, you will likely find that the most appropriate controls to mitigate those risks will also be technical.  The process of reducing supplier risk should not be conducted with a one-size-fits-all approach, but should instead be tailored to each individual supplier you work with and the services they provide.

In practice, this stage often occurs (to a certain extent) in parallel with the previous stages.  Once you have a shortlist of suppliers or have an indication that you are highly likely to work with a particular supplier, legal teams will be engaged and will start working on contracts.  However, these will, naturally, only be finalised and signed once the process is complete and you have decided on which supplier you will be engaged with.

There are a number of key requirements you should include in your contract with the supplier, and many of these requirements can be requested as part of your original questionnaire.  One of the most important elements will be ensuring there is scoping around your and your suppliers’ roles and responsibilities.  For example, if an MSP is providing you with a technical system, is it their responsibility to patch that system?  This is particularly emphasised in the Payment Card Industry Data Security Standard (PCI DSS), which includes a service provider responsibility matrix where you identify whether your organisation or your service provider is responsible for each requirement.  To learn more about PCI DSS requirements, particularly those that have been added to the latest version of the Standard, read our blog on What are the Key New Requirements in PCI DSS 4.0.

Another key aspect of supplier contracts is defining the third party’s data protection and privacy obligations if your organisation is acting as a data controller and the supplier as a data processer.  There will be a number of elements around how that personal data is processed, if the supplier is engaging with sub-processors, and ensuring that the supplier notifies you if they change or amend any of these sub-processors.

Incident response and reporting is another important aspect to include in your contracts.  If a supplier suffers a cyber security breach, your contract should define that the supplier will notify you and how the incident response will be managed.  Your contract should also provide you with the right to audit your suppliers (where necessary – the right to audit won’t be required for every supplier), as well as a termination and exit strategy.