RFP Toolkit for Third-Party Risk Management Solutions: Free Customizable Template and Scoring Sheet!

Hero  Image  Solutions  Compliance  Iso 27001

ISO 27001, 27002, 27018, 27036-2 and 27701

ISO and Third-Party Risk Management

The International Organization for Standardization and the International Electrotechnical Commission (IEC) assemble experts to share knowledge and develop voluntary, consensus-based international standards to solve global challenges. Cybersecurity and data privacy standards from the ISO and the IEC provide a solid baseline for assessing third-party security controls and revealing potential exposures in your supply chain.

The ISO 27001, 27002, 27018, 27036-2, and 27701 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

  • ISO 27001 provides a framework for establishing, implementing, maintaining, and continually improving an information security management system.

  • ISO 27002 provides supplementary advice on how to implement the security controls listed in Annex A of ISO 27001. Section 15 summarizes the requirements for securely dealing with various types of third parties.

  • ISO 27018 establishes control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII).

  • ISO 27701 provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

  • ISO 27036-2 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining, and improving supplier and acquirer relationships. Clauses 6 and 7 define fundamental and high-level information security requirements applicable to the management of several supplier relationships at any point in that supplier relationship lifecycle.

Relevant Requirements

  • Create an information security policy for supplier relationships that outlines policies and procedures and mandates controls for managing risk

  • Establish contractual supplier agreements for any third party that may access, process, store, communicate, or provide IT infrastructure to an organization’s data

  • Include contractual requirements to address risks associated with information technology services and product supply chains

  • Monitor, review and audit supplier service delivery

  • Manage changes to supplier services and re-asses risks when necessary

ISO Third-Party Compliance Checklist

The ISO Third-Party Compliance Checklist is a 17-page guide reveals which TPRM practices map to recommendations outlined in ISO 27001, 27002, 27018, 27036-2 and 27701.

Read Now
Featured resource iso compliance checklist

Meeting ISO 27001, 27002, 27018, 27036-2 & 27701 TPRM Standards

Here's how Prevalent can help you address ISO third-party risk management standards. This table summarizes specific supplier relationship controls discussed in ISO 27001 and ISO 27002, overlaid by complementary ISO 27701 privacy controls. ISO 27018 guidance is not referenced below, because ISO 27018 simply indicates that ISO 27002 controls are applicable in each use case.

ISO 27001 / 27002 Requirements How We Help

15: Supplier Relationships

15.1 Information security in supplier relationships

"Objective: To ensure protection of the organization’s assets that are accessible by suppliers."

Prevalent offers security, privacy, and risk management professionals an automated platform to centrally manage the supplier risk assessment process and determine third-party compliance with IT security and data privacy requirements across the vendor lifecycle. The Platform employs both standard and custom ISO-based questionnaires to help collect evidence and provides bi-directional remediation workflows, reporting, and an easy-to-use dashboard. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

15.1.1 Information security policy for supplier relationships

& ISO 27701 6.12.1.1

"Control: Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented.”

The Prevalent Third-Party Risk Management Platform provides a complete solution for performing automated assessments and an environment to include and manage documented due-diligence evidence.

15.1.1 a)

“identifying and documenting the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information;”

The Prevalent Platform enables organizations to automatically tier suppliers according to their inherent risk scores, set appropriate levels of diligence, and determine the scope of ongoing assessments. Organizations can also categorize vendors with rule-based logic based on a range of data interaction, financial, regulatory and reputational considerations.

15.1.1 b)

“a standardised process and lifecycle for managing supplier relationships;”

Prevalent delivers a programmatic process for managing risks across every stage of the vendor lifecycle:

  • Sourcing and selection – Access a central repository of risk insights for thousands of potential vendors
  • Intake and onboarding – Centralize vendor onboarding and management
  • Inherent risk scoring – Improve risk visibility to prioritize vendors
  • Risk assessments – Automate and accelerate the vendor risk assessment process with built-in templates, reporting and remediation management
  • Continuous monitoring – Validate vendor security controls with continuous cyber, business, reputational and financial risk intelligence
  • Performance and SLA management – Centrally monitor, manage and report on vendor performance and contracts
  • Offboarding and termination – Securely wind down business relationships with assessment templates and reporting

15.1.1 e)

“processes and procedures for monitoring adherence to established information security requirements for each type of supplier and type of access, including third party review and product validation;”

The Prevalent Platform includes 75+ pre-defined assessment templates, the ability to import offline assessments or build custom questionnaires with risk and control elements relevant to your business.

15.1.1 h)

“handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers;”

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact of supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

15.1.1 i)

“resilience and, if necessary, recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party;”

The Prevalent Third-Party Risk Management Platform includes unified capabilities for assessing, analyzing and addressing weaknesses in supplier business resilience plans. This enables you to proactively work with your supplier community to prepare for pandemics, environmental disasters, and other potential crises.

15.1.1 l)

“conditions under which information security requirements and controls will be documented in an agreement signed by both parties;”

The Prevalent Platform enables organizations to collaborate on documents and certifications, such as NDAs, SLAs, SOWs and contracts, with built-in version control, task assignment and auto-review cadences. Manage all documents throughout the vendor lifecycle in centralized vendor profiles.

15.1.1 m)

“managing the necessary transitions of information, information processing facilities and anything else that needs to be moved, and ensuring that information security is maintained throughout the transition period.”

With the Prevalent Platform, organizations can leverage customizable surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.

15.1.2 Addressing security in supplier agreements

& ISO 27701 6.12.1.2

"Control: All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information."

The Prevalent Privacy Information Management Survey (PIMS) provides organizations with a comprehensive assessment based around the ISO/IEC 27701:2019 standard for privacy information management, leveraging the structure and framework of the ISO 27001:2013 standard’s security controls. This provides a detailed assessment on how an organization has implemented information security controls and applied additional privacy-based controls to manage and support their products and services.

The survey has been designed such that specific sections are used depending on the role an organization plays (that of a PII processor or PII controller). This survey can be used by PII controllers (including those that are joint PII controllers) and PII processors.

The Prevalent Platform also centralizes agreements, contracts and supporting evidence with built-in task and acceptance management, plus mandatory upload features to simplify document and supplier agreement management.

15.1.2 (d)

"obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;"

The Prevalent solution enables internal control-based assessments (based on the ISO industry standard framework and/or custom questionnaires). The platform includes built-in workflow capabilities that enable assessors to interact efficiently with third parties during the due diligence collection and review periods. Robust reporting and audit capabilities give each level of management the information it needs to properly review the third party's performance.

Organizations can assess third parties against cybersecurity, SLA performance, and other topics, and correlate findings with the results of continuous outside monitoring for a complete view of risks.

15.1.2 g)

“information security policies relevant to the specific contract;”

The Prevalent Platform enables organizations to assess suppliers on information security criteria using a specific ISO questionnaire or a custom assessment, with flagging and tagging of risks for follow-up. All contract documentation is centrally housed in the Platform.

15.1.2 (m)

"right to audit the supplier processes and controls related to the agreement;"

The Prevalent solution provides a simple, trackable, repeatable mechanism to perform controls audits, including a built-in risk register, reporting and remediation guidance.

15.1.2 (n)

"defect resolution and conflict resolution processes;"

Bi-directional workflow in the Prevalent platform includes built-in discussion tools to enable communication with suppliers on remediating issues.

15.1.2 (p)

"supplier’s obligations to comply with the organization’s security requirements."

The Prevalent solution ensures suppliers implement the exact, agreed-upon requirements with regular tracking and verification.

15.1.3 Information and communication technology supply chain

& ISO 27701 6.12.1.3

"Control: Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain."

Prevalent’s TPRM platform provides a complete set of internal and external assessment and monitoring services to ensure a full view of a supplier's information, communications and product supply chain security posture.

15.1.3 (d)

"implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;"

The Prevalent solution includes a mechanism to perform reviews; monitor compliance with agreed policies; and audit and generate regular reports for all levels of management.

15.1.3 f)

“obtaining assurance that critical components and their origin can be traced throughout the supply chain;”

With the Prevalent Platform, organizations can identify relationships with third parties, 4th parties and Nth parties to discover dependencies and visualize information paths.

15.2 Supplier service delivery management

“Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.”

The Platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods.

15.2.1 Monitoring and review of supplier services

& ISO 27701 6.12.2.1

"Control: Organizations should regularly monitor, review and audit supplier service delivery.”

The Prevalent Platform enables organizations to gain visibility into vendor contract status, contact information, risk and compliance status, performance metrics, and more via centralized dashboards – while also leveraging PowerBI integration for custom reporting. Armed with these insights, teams have visibility into whether or not a supplier is meeting is agreed-upon requirements.

15.2.1 a)

“monitor service performance levels to verify adherence to the agreements;”

With the Prevalent Platform, organizations can customize surveys to make it easy to gather and analyze necessary performance and contract data in a single risk register. Prevalent identifies key contract attributes relating to SLAs or performance, populates those requirements in the Platform, and assigns tasks to you and your third party for tracking purposes.

15.2.1 (c)

"conduct audits of suppliers, in conjunction with review of independent auditor’s reports, if available, and follow-up on issues identified;"

The Prevalent platform provides a simple, trackable, repeatable mechanism to perform audits along with a workflow and shared communication mechanism to track issues to resolution.

15.2.1 (g)

“review information security aspects of the supplier’s relationships with its own suppliers;”

The Prevalent solution provides a detailed map to visualize all relationships for each entity and other business entities (e.g., vendors / departments / datasets). This capability enables organizations to monitor relationships between third, fourth, and Nth parties.

15.2.1 h)

“ensure that the supplier maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster”

Organizations can leverage Prevalent's built-in business resilience assessment questionnaire to understand supplier incident response, disaster recovery and communications plans. Review and approve assessment responses to automatically register risks, or reject responses and request additional input.

ISO 27036-2 Requirements How We Help

6: Information Security in Supplier Relationship Management

6.1.1.1 Agreement processes / Acquisition process / Objective

a) Establish a supplier relationship strategy that:
1) Is based on the information security risk tolerance of the acquirer;
2) Defines the information security foundation to use when planning, preparing, managing and terminating the procurement of a product or service.

Prevalent Vendor Risk Intelligence Networks provide instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information. With these insights in hand, procurement teams can contract with vendors that meet their organization’s risk tolerance levels and easily compare vendors against common security criteria.

6.2.1 Organizational project-enabling processes / Life cycle model management process

a) The acquirer and the supplier shall establish the life cycle model management process when managing information security in supplier relationships.

Prevalent helps to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties across the entire vendor risk lifecycle – from sourcing and selection to offboarding and everything in between.

6.2.2.1 Organizational project-enabling processes / Infrastructure management process / Objective

a) Provide the enabling infrastructure to support the organization in managing information security within supplier relationships.

Prevalent provides a central SaaS platform that enables acquirers and suppliers to collaborate on risk reduction by automating risk assessments against more than 75 industry standards – including ISO. With the platform acquirers gain built-in workflow and remediation, automated analysis and reporting.

6.2.2.2 Organizational project-enabling processes / Infrastructure management process / Activities

b) Define, implement, maintain and improve contingency arrangements to ensure that the procurement or the supply of a product or service can continue in the event of its disruption caused by natural or man-made causes.

Prevalent provides a built-in business resilience assessment questionnaire to evaluate supplier incident response, disaster recovery and communications plans. Review and approve assessment responses to automatically register risks, or reject responses and request additional input.

6.2.3.2 Project portfolio management process / Activities

a) Define, implement, maintain and improve a process for identifying and categorizing suppliers or acquirers based on the sensitivity of the information shared with them and on the access level granted to them to acquirer’s or supplier’s assets, such as information and information systems;

The Prevalent Platform enables organizations to automatically tier suppliers according to their inherent risk scores, set appropriate levels of diligence, and determine the scope of ongoing assessments. Organizations can also categorize vendors with rule-based logic based on a range of data interaction, financial, regulatory and reputational considerations.

6.3.4.1 Project processes / Risk management process / Objective

a) Continuously address information security risks in supplier relationships and throughout their life cycle including re-examining them periodically or when significant business, legal, regulatory, architectural, policy and contractual changes occur.

Prevalent [Vendor Threat Monitor](/products/vendor-risk-monitoring/] continuously tracks and analyzes threats to your third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

The solution is backed by a dedicated and custom contract assessment questionnaire that enables comprehensive reviews by identifying potential breaches of contract and other risks as the relationship progresses.

6.3.7.1 Project processes / Measurement process / Objective

a) Collect, analyze, and report information security measures related to the procurement or supply of a product or service to demonstrate the maturity of information security in a supplier relationship and to support effective management of processes.

With Prevalent, acquirers can reveal supplier cyber incidents by monitoring 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.

These results can then be correlated against completed risk assessments for a more complete picture of a supplier’s risk posture. With these insights, acquirers have a central risk register to manage recommended remediations and report on progress.

7: Information Security in a Supplier Relationship Instance

7.2.1 Supplier selection process / Objectives

a) Select a supplier that provides adequate information security for the product or service that may be procured.

Prevalent Vendor Risk Intelligence Networks provide instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information. With these insights in hand, procurement teams can contract with vendors that meet their organization’s risk tolerance levels and easily compare vendors against common security criteria.

7.4.1 Supplier relationship management process / Objectives

a) Maintain information security during the execution period of the supplier relationship in accordance with the supplier relationship agreement and by particularly considering the following:
4) Monitor and enforce compliance of the supplier with information security provisions defined in the supplier relationship agreement.

With the Prevalent Platform, acquirers can automatically map information gathered from control-based assessments to regulatory frameworks – including ISO and many others – to quickly visualize and address important compliance requirements at every stage of the supplier lifecycle.

7.5.1 Supplier relationship termination process / Objectives

a) Protect the product or service supply during termination to avoid any information security, legal and regulatory impacts after the notice of termination;
b)Terminate the product or service supply in accordance to the termination plan.

The Prevalent Third-Party Risk Management Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo