Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the International Organization for Standardization (ISO) Information Security Standards as a framework for evaluation third-party risk. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.
ISO 27001 is an international standard for the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Based on an international set of requirements, it outlines a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. There are two (2) supplements to consider as important corollaries to ISO 27001, including:
- ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.
- ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”
Third-Party Risk Management Requirements in the ISO Standards
With respect to managing information security in supplier (third-party) relationships, Section 15 of 27001 and 27002 summarize the requirements for securely dealing with various types of third parties. Using a top-down, risk-based approach, the specification provides the following guidance for managing suppliers:
- Create an information security policy for supplier relationships that outlines specific policies and procedures and mandates specific controls be in place to manage risk.
- Establish contractual supplier agreements for any third party that may access, process, store, communicate, or provide IT infrastructure to an organization’s data.
- Include requirements to address the information security risks associated with information and communications technology services and product supply chain.
- Monitor, review and audit supplier service delivery.
- Manage changes to the supplier services, considering re-assessment of risks.
Organizations choose to become certified against these standards in order to benefit from the best practice guidance and to reassure customers and clients that their recommendations have been followed.
Meeting ISO Third-Party Guidance Using the Prevalent Platform
Prevalent can help address the third-party requirements recommended standards in ISO 27001 / 27002 / 27018:
ISO 27001:2013: Information Security Management Systems (ISMS) – Requirements / ISO 27002:2013: Code of Practice for Information Security Controls
- Automates the supplier risk assessment process and helps to determine third-party compliance with IT security, regulatory, and data privacy requirements to address the requirement of ensuring protection of the organization’s assets accessible by suppliers in 15.1 Information security in supplier relationships.
- Performs assessments to document agreements as specified in 15.1.1 Information security policy for supplier relationships and 15.1.2 Addressing security in supplier agreements, sections 15.1.2 (d), 15.1.2 (m), 15.1.2 (n), and 15.1.2 (p).
- Provides a complete set of internal and external assessment and monitoring services to ensure agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain as required in 15.1.3 Information and communication technology supply chain, section 15.1.3 (d).
- Unifies internal control-based assessments (based on industry standard framework questionnaires and/or custom questionnaires) with continuous vendor threat monitoring to address requirements in 15.2 Supplier service delivery management and 15.2.1 Monitoring and review of supplier services, sections 15.2.1 (c) and 15.2.1 (g).
ISO 27018:2019(E): Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Prevalent delivers a 360-degree view of supplier risk, including cloud providers, with clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making to address the objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 Supplier Relationships.
The ISO standards presented here require robust management and tracking of third-party supplier security risk. They specify the following:
- A policy for managing risk should be in place.
- A policy should be codified in supplier agreements.
- Suppliers should be managed and audited to the agreed requirements.
Having strong Information Security Management Systems is part of the supplier lifecycle and requires a complete, internal view of the controls in place as well as continuous monitoring of all third parties. This cannot be addressed with a simple, external automated scan. Prevalent delivers a unified platform that can help effectively audit supplier security controls to ensure compliance.
Our Series Continues…
Next week’s blog addresses NIST Special Publication 800-53r4 and the NIST Framework for Improving Critical Infrastructure (CSF) v1.1.