ISO 27001:2022 - A.5 Organisational Controls (Supplier Management)

ISO 27002:2022 (the official guidance for implementing ISO 27001) defines an asset as ‘Anything that has value to the organisation’.  In the context of business, a company’s assets add value by helping to ensure its operational functionality and efficiency, as well as by assisting in the achievement of its overall goals.

Many of these assets can be provided internally.  This includes things like your employees, policies, your business processes, contracts, and even your premises (if you are the legal owner of your facility).  Depending on what type of organisation you are, however, there will be certain assets that you will need to acquire from a third-party as either a product or service.

To enable a supplier to carry out their responsibilities, it may be necessary to share confidential or sensitive information with them.  For example:

• If a hospital wants to store patient information on a secure software platform, it will need to share that information with the provider to ensure it is stored appropriately
• If your organisation hires third-party cleaners to clean your office every day, you'll need to give them access to the building and different rooms so they can do their job properly
• If you hire a HR consultant, you will typically need to give them access to your company systems and your employee data, so that they can effectively support your employees in all their human resource needs.

Sharing company information with suppliers creates a number of information security risks.  These risks are ever evolving and can arise during any part of the supplier relationship.  It is, therefore, essential that your organisation puts controls in place to identify, assess, treat, and re-assess these risks throughout the supplier lifecycle before they can pose a significant threat (to learn more about managing information security-related supplier risk, read our blog on How to Conduct Effective Supplier Information Security Risk Management).

According to ISO 27002, supplier management controls are categorised as ‘Preventive’, meaning that they are ‘intended to prevent the occurrence of an information security incident’.

Some common preventive measures when it comes to information security in supplier relationships include identifying, assessing and treating information security risks relating to your suppliers, and requiring supplier personnel to sign a non-disclosure agreement (NDA), if necessary.  It is also common practice to have a formal supplier agreement to document the rights and obligations of both parties, and to implement a supplier management policy outlining your supplier processes and procedures.

As stated, Annex A of ISO 27001 specifies a number of supplier-related controls; here, we will provide some hints and tips on implementing the controls to ensure you conform to the requirements of the Standard as well as satisfying both internal and external auditors.

A.5.19 – Information Security in Supplier Relationships

To ensure conformance to this control, you will need to have a documented supplier management policy that covers all the steps you take to manage supplier security risk throughout the whole relationship lifecycle.  This should include a requirement to acknowledge the classification and types of data you’re looking to share with your suppliers.  The policy should also describe how you identify, assess and mitigate the security risks of working with potential suppliers, both before, during and after terminating the relationship.  This will be different for every organisation, but common ways to do this include:

• Due diligence questionnaires or checklists
• Pre-onboarding risk assessments
• Requesting copies of a supplier’s security certifications (e.g., ISO 27001, SOC 2, Cyber Essentials Plus)
• Categorising existing suppliers based on the classification level of information to be shared
• Regular reviews or re-assessments of supplier risks and performance
• Regular reviews of access granted to the supplier
• Granting, adjusting and removing supplier access to information as appropriate.

A.5.20 – Addressing Information Security within Supplier Agreements

To ensure information security is built into your supplier relationships, you’ll need to have formal, written agreements in place between your organisation and the supplier.  These agreements outline rules that your supplier must comply with to ensure the CIA of your organisation’s information.  For example, they may include a requirement to notify a specific person in your organisation if a data breach occurs, a right-to-audit clause (if possible), and a requirement to notify a specific person in your organisation if a business change occurs that could affect the supplier’s performance or its internal information security practices.

If the terms of the proposed supplier agreement are non-negotiable, your organisation must confirm that the security controls outlined in the final proposal are sufficient.  Once the agreement has been accepted by both parties, you’ll need to review existing supplier agreements regularly and ahead of any renewal.  This helps ensure that the controls remain effective and gives you the opportunity to suggest any necessary updates.

A.5.21 – Managing Information Security in the ICT Supply Chain

In addition to the above (see A.5.19), there are some specific measures that need to be in place to mitigate security risks for ICT products and services used by your organisation.

For software applications, these measures may include:

• Obtaining copies of the ICT supplier’s software development procedure
• Agreeing to notify your organisation if the supplier intends to stop providing updates for a particular application
• Ensuring the ICT supplier agreement contains commitments by your supplier to:
  • Perform regular backups of data
  • Segregate its development, testing and production environments
  • Maintain a specific level of service (aka a service level agreement), by defining the minimum time software systems are guaranteed to be up and running for, and the time it will take to restore a system if an outage occurs.

For hardware products, measures may include:

• Retaining copies of device configuration manuals provided by the supplier
• Ensuring that newly purchased hardware products have not been tampered with or altered
• Ensuring the ICT supplier agreement contains a commitment by the supplier to inform your organisation if there is a need to recall a hardware product (e.g., due to hardware misconfigurations, newly discovered vulnerabilities or malicious components).

It is important that you ensure that any subcontractors are aware of their security obligations with respect to your organisation’s data (e.g., via policy or awareness briefings).

A.5.22 – Monitoring, Review and Change Management of Supplier Services

To show conformance to this control, your organisation must regularly review the suppliers’ products and services in use to ensure they continue to meet expectations.  This can be evidenced by:

• Utilising monitoring tools to verify that third-party systems remain operational
• Performing regular, formal reviews of a product or service, by:
  • Reviewing service reports provided by the supplier
  • Conducting audits of the supplier, where mutually agreed
• Documenting the date of the latest review of a supplier in a supplier register.

You will also need to ensure that you are keeping abreast of (and promptly responding to, as needed) changes affecting either your suppliers, or the products or services they are offering.  This helps ensure that such changes do not compromise the quality of the offering or the security of your organisation’s data. Relevant changes can include updates to the suppliers’ internal policies and procedures, modifications to the technologies used to secure your data, updates to the products or services themselves, or relocation or changes to suppliers’ physical location(s).

Another recommended best practice for this control is to designate a specific individual or team within your organisation to be responsible for monitoring and checking supplier products and services, thereby ensuring clear accountability.

A.5.23 – Information Security for Use of Cloud Services

As cloud service providers are considered suppliers, your organisation must apply its standard supplier management practices to them as well.  Also, since cloud service agreements are usually non-negotiable, organisations are advised to create a list of desired criteria that cloud service providers should meet.  This can either be documented in a cloud computing policy, or as a subsection of a broader supplier management policy.

As regards the ongoing use and management of cloud services, you are recommended to assign ownership of the supplier relationship to a specific individual in the business, such as the Chief Technology Officer (CTO) or the Chief Operating Officer (COO).  To ensure the optimisation of the cloud application’s security tools, the relationship owner should also be the main point of contact for the cloud supplier in the event of an incident or other serious occurrence.  When discontinuing a cloud service, your organisation needs to have a defined approach for handling its data upon termination of the supplier relationship—such as requesting the transfer or secure deletion of data by the cloud provider.

Your organisation’s reliance on your suppliers inevitably widens the threat surface for your own data and plays a very critical part in your information security management system (ISMS).  As such, it is imperative that you implement robust and proportionate supplier management measures.  Doing so will help to ensure your organisation’s conformance and success at upcoming audits, whilst safeguarding the CIA of your data when engaging with third-party suppliers.