ISO27001 isn’t only concerned with your own security, it wants to know that you’ve considered the security risks associated to third-parties. In particular ISO27001 expects you to understand what security arrangements are in place with your suppliers, and how you maintain those relationships.

A5.19 is the first in a series of blogs which focuses on suppliers and supplier management. The other, related controls include;

• A5.20 - Addressing information security within supplier agreements

• A5.21 - Managing information security in the ICT supply chain

• A5.22 - Monitoring, review and change management of supplier services

• A5.23 - Information Security for use of Cloud Services

There is a lot of cross over in these blogs as they are largely concerned with the same thing – managing the risks associated to suppliers.

What does the standard require?

The standard states that “Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of suppliers products or services.” (A5.19 Information Security in supplier relationships)

Why is this required?

Every organisation has suppliers at some level, even if it’s only virtual providers, such as Cloud and software as a service (SaaS).  We will discuss Cloud security later, when we discuss Annex A5.23 -  Information Security for use of Cloud Services, but the point is that your business will use various suppliers to provide services, goods and technologies. 

These suppliers will have access to your logical or physical assets, so they can pose a threat to you and your business if you are not aware of how they are controlled. 

The American Superstore chain, Target is probably the best example of supply chain compromise, whereby the attackers backed their way into Target's corporate network by compromising a third-party vendor. This happened to be “Fazio Mechanical”, a refrigeration contractor!

If you’re not aware of the Target breach, then it’s worth taking a closer look at, as it illustrates the need for careful management of suppliers.  However in brief, it’s worth noting that the Target breach cost the company over $200 Million in fines, system corrections, and legal costs.

Although it’s unlikely that a breach would cost you this much money, it’s worth remembering that all the protection you are implementing can be circumnavigated by suppliers if you don’t control them adequately.

What the auditor is looking for

The auditor is first going to want to know that you have identified your key suppliers, and therefore you should have some form of supplier register or list in place.  They are also going to want to see some form of due diligence conducted on suppliers, so that you can demonstrate you have assessed the suppliers suitability. 

The due diligence you perform may vary from supplier to supplier, based on the criticality of the supplier and the levels of access they have on your business.

What do you need to do?

If you are a larger organisation, you may have a specific procurement department or software that manages your suppliers. If you don’t have this luxury, then a simple spreadsheet is sufficient to capture this information in the first instance.

Your register can easily be developed in Excel, and should capture important information about the supplier, such as;

• Relationship owner – Who deals with the supplier?

• Supplier contact details – How will you reach them if you need to?

• What they do for you – What services do they provide?

• Criticality – How important are they to your business? Could they easily be replaced?

• Access Level – How much access do they have to your business?

• Contract Details – When does the contract end and where is the contract held?

In addition to the register, you should define a policy which outlines requirements for due diligence in relation to new suppliers.  For example, you may stipulate that all new suppliers must be risk assessed, and back-ground checks performed on their capabilities.

Using Word, or Excel, develop a “Supplier Questionnaire”, which the supplier would complete on an annual basis, and based on the responses you may take appropriate action, or add risks to the risk register.

Q & A

Do I need a written policy?

No, a policy is not mandatory in this situation. However, this control states that “Processes and procedures shall be defined”, therefore you should develop a procedure to ensure that the requirement is fulfilled. This is to ensure that the way you manage suppliers is handled in a structured and consistent manner. 

It doesn’t have to be exhaustive. Simply document what you do currently, or what you believe you should be doing, and then communicate this to anyone who is likely to be involved in the procurement of supplier services.

Where do I start?

Don’t try and boil the ocean! If you’re struggling to identify all the key suppliers, simply ask the business who the suppliers are that they know of. Alternatively speak to finance and ask them who you have paid in the last 12mths. Put this into order of invoice value and you’ll be close to identifying your most important suppliers. Start there, and build out from this place.

Do I have to complete a questionnaire for all suppliers?

No. This is all about risk, so look at the list of suppliers you have and consider the risk to you and your business if there was an issue with that supplier.  It’s unlikely that the person who brings fruit to your office on a Monday morning is going to need to be listed on your register, or will need to complete a due diligence questionnaire.

However, the IT company that provides onsite support probably should have appropriate background checks and due diligence performed.  After all, they are supporting your networks and infrastructure and therefore have access to everything(!)  You need to make sure you can trust them to do the right thing, and trust comes from evidence.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to understand the requirement. You need to conduct a review of your suppliers, then capture the information in a single location. Once in place make sure you pull the contracts together and complete the review on an annual basis.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about how to pull together a supplier register or how to complete some form of due diligence, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.