ISO 27001 is an international standard for the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Based on an international set of requirements, it outlines a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. There are three supplements to consider as important corollaries to ISO 27001, including:
- ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.
- ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”
- ISO 27036-2 is a related framework that specifies information security requirements for "defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships." This standard extends the information security requirements defined in previous ISO standards adding specific guidance to ensure secure acquirer-supplier relationships.
- ISO 27701 was the first international standard on privacy information management, which helps organizations to demonstrate the methods and controls used in protecting both their internal and customers’ personal data. It augments security guidance published in ISO 27001 an ISO 27002.
Third-Party Risk Management Requirements in the ISO Standards
With respect to managing information security in supplier (third-party) relationships, Section 15 of 27001 and 27002 summarize the requirements for securely dealing with various types of third parties. Using a top-down, risk-based approach, the specification provides the following guidance for managing suppliers:
- Create an information security policy for supplier relationships that outlines specific policies and procedures and mandates specific controls be in place to manage risk.
- Establish contractual supplier agreements for any third party that may access, process, store, communicate, or provide IT infrastructure to an organization’s data.
- Include requirements to address the information security risks associated with information and communications technology services and product supply chain.
- Monitor, review and audit supplier service delivery.
- Manage changes to the supplier services, considering re-assessment of risks.
Organizations choose to become certified against these standards in order to benefit from the best practice guidance and to reassure customers and clients that their recommendations have been followed.
Clauses 6 and 7 in ISO 27036-2 define fundamental and high-level information security requirements applicable to the management of several supplier relationships at any point in that supplier relationship lifecycle.
Meeting ISO Third-Party Guidance Using the Prevalent Platform
Prevalent can help address the recommended standards for third-party risk management in ISO 27001, 27002, 27018, 27036-2 and 27701:
Information Security Management Systems (ISMS) – Requirements / ISO 27002:2013: Code of Practice for Information Security Controls
- Automates the supplier risk assessment process and helps to determine third-party compliance with IT security, regulatory, and data privacy requirements to address the requirement of ensuring protection of the organization’s assets accessible by suppliers in 15.1 Information security in supplier relationships.
- Performs assessments to document agreements as specified in 15.1.1 Information security policy for supplier relationships and 15.1.2 Addressing security in supplier agreements, sections 15.1.2 (d), 15.1.2 (m), 15.1.2 (n), and 15.1.2 (p).
- Provides a complete set of internal and external assessment and monitoring services to ensure agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain as required in 15.1.3 Information and communication technology supply chain, section 15.1.3 (d).
- Unifies internal control-based assessments (based on industry standard framework questionnaires and/or custom questionnaires) with continuous vendor threat monitoring to address requirements in 15.2 Supplier service delivery management and 15.2.1 Monitoring and review of supplier services, sections 15.2.1 (c) and 15.2.1 (g).
Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Prevalent delivers a 360-degree view of supplier risk, including cloud providers, with clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making to address the objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 Supplier Relationships.
Information technology – Security techniques – Information security for supplier relationships – Part 2: Requirements
- Provides instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information to meet the organization’s risk tolerance levels in support of 188.8.131.52 Information security in supplier relationship management / Agreement processes / Acquisition process and 7.2.1 Information security in a supplier relationship instance / Supplier selection process /
- Eliminates the security and compliance exposures that come from working with vendors, suppliers and other third parties across the entire vendor risk lifecycle – from sourcing and selection to offboarding and everything in between according to 6.2.1 Information security in supplier relationship management / Organizational project-enabling processes / Life cycle model management process
- Provides a central SaaS platform that enables acquirers and suppliers to collaborate on risk reduction by automating risk assessments against more than 75 industry standards – including ISO – to support 184.108.40.206 Organizational project-enabling processes / Infrastructure management process
- Continuously tracks and analyzes threats to your third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information to support 220.127.116.11 Project processes / Risk management process
- Reveals supplier cyber incidents by monitoring 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases – and correlates them against completed risk assessments for a more complete picture of a supplier’s risk posture in support of 18.104.22.168 Project processes / Measurement process
- Automatically maps information gathered from control-based assessments to regulatory frameworks – including ISO and many others – to quickly visualize and address important compliance requirements at every stage of the supplier lifecycle in support of 7.4.1 Supplier relationship management process
- Automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure in support of 7.5.1 Supplier relationship termination process (a) and (b)
Extension to ISO 27001 and ISO 27002 for privacy information management
The Prevalent Privacy Information Management Survey (PIMS) provides organizations with a comprehensive assessment based around the ISO/IEC 27701:2019 standard for privacy information management, leveraging the structure and framework of the ISO 27001:2013 standard’s security controls. This brings together a detailed assessment on how an organization has implemented information security controls and applied additional privacy-based controls to manage and support the products and services being provided.
Next Steps for ISO Compliance
The ISO standards presented here require robust management and tracking of third-party supplier security risk. They specify the following:
- A policy for selecting suppliers based on information security practices should be in place
- A policy for managing risk should be in place
- A policy should be codified in supplier agreements
- Suppliers should be managed and audited to the agreed requirements
Having strong Information Security Management Systems is part of the supplier lifecycle and requires a complete, internal view of the controls in place as well as continuous monitoring of all third parties. This cannot be addressed with a simple, external automated scan. Prevalent delivers a unified platform that can help effectively audit supplier security controls to ensure ISO compliance.
Contact us today for a personalized demo to learn how Prevalent can address your ISO requirements.