Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the International Organization for Standardization (ISO) Information Security Standards as a framework for evaluation third-party risk. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.
ISO 27001 is an international standard for the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Based on an international set of requirements, it outlines a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. There are two (2) supplements to consider as important corollaries to ISO 27001, including:
With respect to managing information security in supplier (third-party) relationships, Section 15 of 27001 and 27002 summarize the requirements for securely dealing with various types of third parties. Using a top-down, risk-based approach, the specification provides the following guidance for managing suppliers:
Organizations choose to become certified against these standards in order to benefit from the best practice guidance and to reassure customers and clients that their recommendations have been followed.
Prevalent can help address the third-party requirements recommended standards in ISO 27001 / 27002 / 27018:
ISO 27001:2013: Information Security Management Systems (ISMS) – Requirements / ISO 27002:2013: Code of Practice for Information Security Controls
ISO 27018:2019(E): Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Prevalent delivers a 360-degree view of supplier risk, including cloud providers, with clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making to address the objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 Supplier Relationships.
The ISO standards presented here require robust management and tracking of third-party supplier security risk. They specify the following:
Having strong Information Security Management Systems is part of the supplier lifecycle and requires a complete, internal view of the controls in place as well as continuous monitoring of all third parties. This cannot be addressed with a simple, external automated scan. Prevalent delivers a unified platform that can help effectively audit supplier security controls to ensure compliance.
Next week’s blog addresses NIST Special Publication 800-53r4 and the NIST Framework for Improving Critical Infrastructure (CSF) v1.1.
The third-party service provider security policy requirements set forth in NYDFS Part 500 go a long...
NIST has two industry standards that deal with identifying, assessing & managing supply chain risk. Here's...