Do not take this ISO27001 control in isolation, as there are other controls closely associated with ICT supply chain management. These Annex controls are A5.19, A5.20, A5.22 and A5.23. I’ll be sure to remind you of this fact on each of these controls.
If it hasn’t occurred to you already, I think this is a clear sign that managing suppliers is extremely important in ISO27001 and to information security.
What does the standard require?
The standard states that “Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.” (A5.21 Managing information security in the ICT supply chain).
I’m no fan of acronyms so lets remember that ICT means Information and Communication Technology, and it’s important that you think about this.
ICT products and services can include;
Network devices
Servers
Workstations
Mobile devices
Telecommunications (i.e. Network services)
Cloud services (which we will look at in A5.23)
Social media (including instant message services, like MS Teams)
Teleconferencing services (like Zoom)
Managed Service Providers
Development
Penetration Testing
This is not meant to be an exhaustive list, but merely acts to illustrate that in three brief letters (ICT) there is a lot to consider.
Why is this required?
Like any supplier, the ICT supply chain can introduce vulnerabilities and threats to your business, as malicious attackers attempt to infiltrate the ICT supply chain which serves you.
For example, in 2020, a vulnerability was discovered in SolarWinds Orion which allowed external attackers to gain access to the victim's entire network infrastructure.
SolarWinds is a software company that primarily deals in systems management tools used by IT professionals. The SolarWinds product, Orion is a Network Management System (NMS), widely deployed and utilised in many large and small organisation.
NMS are prime targets for attackers because of their broad capabilities for monitoring and managing systems. These systems include network devices, servers and workstations.
The cost of clearing up the issue, to Solarwinds was estimated to be around $40 Million, however it is not known how many organisations were breached as a result of the Solarwinds vulnerability. Therefore the true cost of this insecurity will never be fully understood.
What the auditor is looking for
This control states that processes and procedures shall be defined, therefore you should have a documented approach to supplier management which includes ICT suppliers. In your procedures you may provide additional controls and requirements which should be met, or that must be followed for ICT providers.
The auditor will be looking for the following to be in place;
Supplier management process (and that it includes ICT suppliers)
Supplier assessments and questionnaires
Supplier Agreements or contracts
Supplier reviews have been undertaken (at regular intervals)
What do you need to do?
Do not read this control in isolation. You should refer to the other controls previously mentioned to ensure that all suppliers are managed effectively. But pay close attention to the ICT suppliers. These are the ones which often slip through the net (no pun intended), yet have the greatest level of access to your networks and your information.
Q & A
Do we need to document the process?
This control states that “Processes and procedures shall be defined”, but if you have been following along in order, then you will have done this as part of Annex A control, A5.19 Information security in supplier relationships. If you haven’t, then I would suggest you take a look at that control and ensure you incorporate into it, provision for ICT suppliers.
What specific requirements for ICT suppliers should we consider?
The requirements that you have set out for other suppliers merely needs to be extended for ICT vendors, so that you do not miss any of the providers mentioned above.
For example, all supplier agreements should include consideration for roles and responsibilities. But if one of your ICT suppliers is a provider of development services, then you might want to include (within the contract) something that talks about intellectual property. Who owns the rights to the application or tool that the developer has written for you? You might think that because you’ve paid for their service, it automatically belongs to you. But this might not always be the case. And can they re-use the application/code they developed for you, for a future client?
Only by expressly dealing with this kind of supplier and setting out specific requirements can you be confident that this risk (of intellectual property theft) is under control.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This means that it requires a little technical skill to understand the requirement. This is only because it requires that you have a more detailed conversation with your ICT providers about what they are doing for you. Therefore you may come up against some additional technical areas which aren’t familiar to you. For example ‘Managed Service Providers’ is a very broad term for any ICT service which is managed on your behalf. This can be anything from a simple IT support service, to a fully managed network monitoring service, such as a Network Operations Centre (NOC) and a Security Operations Centre (SOC).
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.
like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.
Comentarios