Latest Analyst Report: The 2023 Gartner® Market Guide for Supplier Risk Management Solutions

Hero  Image  Solutions  Compliance  Iso 27001

ISO 27001, 27002 & 27036-2 Compliance

ISO and Third-Party Risk Management

The International Organization for Standardization and the International Electrotechnical Commission (IEC) assemble experts to share knowledge and develop voluntary, consensus-based international standards to solve global challenges. Cybersecurity and data privacy standards from the ISO and the IEC provide a solid baseline for assessing third-party security controls and revealing potential exposures in your supply chain.

The ISO 27001, 27002 and 27036-2 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

  • ISO 27001 provides a framework for establishing, implementing, maintaining, and continually improving an information security management system.

  • ISO 27002 provides supplementary advice on how to implement the security controls listed in Annex A of ISO 27001. Section 15 summarizes the requirements for securely dealing with various types of third parties.

  • ISO 27036-2 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining, and improving supplier and acquirer relationships. Clauses 6 and 7 define fundamental and high-level information security requirements applicable to the management of several supplier relationships at any point in that supplier relationship lifecycle.

Relevant Requirements

  • Create an information security policy for supplier relationships that outlines policies and procedures and mandates controls for managing risk

  • Establish contractual supplier agreements for any third party that may access, process, store, communicate, or provide IT infrastructure to an organization’s data

  • Include contractual requirements to address risks associated with information technology services and product supply chains

  • Monitor, review and audit supplier service delivery

  • Manage changes to supplier services and re-asses risks when necessary

Align Your TPRM Program with ISO Standards

The ISO Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in ISO 27001, 27002 and 27036-2.

Read Now
Featured resource iso checklist

Meeting ISO 27001, 27002 and 27036-2 TPRM Standards

Here's how Prevalent can help you address ISO third-party risk management standards.

ISO 27001 Controls How We Help

5 Organizational Controls

5.1 Policies for information security

“Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.”

5.2 Information security roles and responsibilities

“Information security roles and responsibilities shall be defined and allocated according to the organization needs.”

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security, cybersecurity and privacy protection programs based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

As part of this process, Prevalent can help you define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Assessment and monitoring methodologies based on third-party criticality
  • Fourth-party mapping
  • Sources of continuous monitoring data (cyber, business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Governing policies, standards, systems and processes to protect data
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

5.7 Threat intelligence

"Information relating to information security threats shall be collected and analysed to produce threat intelligence."

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

5.11 Return of assets

“Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.”

When a termination or exit is required for critical services, Prevalent leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with relevant laws, final payments, and more. The solution also suggests actions based on answers to offboarding assessments and routes tasks to reviewers as necessary.

5.19 Information security in supplier relationships

“Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.”

Prevalent offers a library of more than 200 pre-built templates, including dedicated ISO questionnaires, for assessing the information security risks associated with third-parties.

Assessments are managed centrally in the Prevalent Platform. They are backed by workflow, task management and automated evidence review capabilities to enable visibility into third-party risks throughout the supplier relationship.

Importantly, Prevalent delivers built-in remediation recommendations based on risk assessment results to ensure that third parties address risks in a timely and satisfactory manner.

For organizations with limited resources and expertise, Prevalent can manage the third-party risk lifecycle on your behalf – from onboarding suppliers and collecting evidence, to providing remediation guidance and reporting on contract SLAs. As a result, you reduce vendor risk and simplify compliance without burdening internal staff.

5.20 Addressing information security within supplier agreements

“Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.”

Prevalent centralizes the distribution, discussion, retention, and review of supplier contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

Key capabilities include:

  • Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
  • Automated reminders and overdue notices to streamline contract reviews
  • Centralized contract discussion and comment tracking
  • Contract and document storage with role-based permissions and audit trails of all access
  • Version control tracking that supports offline contract and document edits
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

5.21 Managing information security in the information and communication technology (ICT) supply chain

“Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.”

Prevalent standardizes assessments against ISO best practices and other information security control frameworks, providing internal audit and IT security teams with a central platform for measuring and demonstrating adherence to secure software development and software development lifecycle (SDLC) practices.

5.22 Monitoring, review and change management of supplier services

“The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

5.23 Information security for use of cloud services

“Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.”

Prevalent standardizes assessments against SOC 2, Cyber Essentials, ISO, and other information security control frameworks, providing key controls assessments against cloud services requirements.

These same assessments are also used to assess information security controls when offboarding cloud services.

5.24 Information security incident management planning and preparation

“The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.”

5.25 Assessment and decision on information security events

“The organization shall assess information security events and decide if they are to be categorized as information security incidents.”

5.26 Response to information security incidents

“Information security incidents shall be responded to in accordance with the documented procedures.”

5.28 Collection of evidence

“The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.”

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance.

Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactively vendor reporting
  • Consolidated views of risk ratings, counts, scores, and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Guidance from built-in remediation recommendations to reduce risk
  • Built-in report templates
  • Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

5.30 ICT readiness for business continuity

“ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.”

Prevalent automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to ISO and other control frameworks.

To complement business resilience assessments and validate results, Prevalent:

  • Automates continuous cyber monitoring that may predict possible third-party business impacts
  • Accesses qualitative insights from over 550,000 public and private sources of reputational information that could signal vendor instability
  • Taps into financial information from a global network of 2 million businesses to identify vendor financial health or operational concerns

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:

  • Categorize suppliers according to their risk profile and criticality to the business
  • Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
  • Centralize system inventory, risk assessments, RACI charts, and third parties
  • Ensure consistent communications with suppliers during business disruptions

5.31 Legal, statutory, regulatory and contractual requirements

“Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.”

Prevalent centralizes the distribution, discussion, retention, and review of supplier contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

Key capabilities include:

  • Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
  • Automated reminders and overdue notices to streamline contract reviews
  • Centralized contract discussion and comment tracking
  • Contract and document storage with role-based permissions and audit trails of all access
  • Version control tracking that supports offline contract and document edits
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

5.34 Privacy and protection of personal identifiable information (PII)

“The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.”

Prevalent delivers a centralized, collaborative platform for conducting privacy assessments and mitigating both third-party and internal privacy risks. Key data security and privacy assessment capabilities include:

  • Scheduled assessments and relationship mapping to reveal where personal data exists, where it is shared, and who has access – all summarized in a risk register that highlights critical exposures
  • Privacy Impact Assessments to uncover at-risk business data and personally identifiable information (PII)
  • Vendor assessments against GDPR and other privacy regulations via the Prevalent Compliance Framework (PCF) – reveals potential hot spots by mapping identified risks to specific controls
  • GDPR risk and response mapping to controls. Includes percent-compliance ratings and stakeholder-specific reports.
  • A database containing 10+ years of data breach history for thousands of companies – includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications
  • Centralized onboarding, distribution, discussion, retention, and review of vendor contracts – ensures that data protection provisions are enforced from the beginning of the relationship

5.36 Compliance with policies, rules and standards for information security

“Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.”

With Prevalent, auditors can establish a program to efficiently achieve and demonstrate compliance. The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, recommending remediations, and generating reports for dozens of government regulations and industry frameworks.

Prevalent automatically maps information gathered from control-based assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX, NYDFS, and other regulatory frameworks, enabling you to quickly visualize and address important compliance requirements.

ISO 27002 Controls How We Help

5.19 Information security in supplier relationships

"Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.”

5.19 a) “identifying and documenting the types of suppliers (e.g. ICT services, logistics, utilities, financial services, ICT infrastructure components) which can affect the confidentiality, integrity and availability of the organization's information;”

5.19 e) “defining the types of ICT infrastructure components and services provided by suppliers which can affect the confidentiality, integrity and availability of the organization's information;”

The Prevalent Platform enables organizations to automatically tier suppliers according to their inherent risk scores, set appropriate levels of diligence, and determine the scope of ongoing assessments.

Organizations can also categorize vendors with rule-based logic based on a range of data interaction, financial, regulatory and reputational considerations.

5.19 b) “establishing how to evaluate and select suppliers according to the sensitivity of information, products and services (e.g. with market analysis, customer references, review of documents, onsite assessments, certifications);”

Prevalent centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs) as part of vendor selection decisions.

Prevalent moves each selected vendor into contracting and/or onboarding due diligence phases, automatically progressing the vendor through the third-party lifecycle.

Prevalent features a library of more than 200 pre-built templates for ongoing third-party risk assessments. These are integrated with native cyber, business, reputational, and financial risk monitoring capabilities, which continuously validate assessment findings and fill gaps between assessments.

Built-in remediation recommendations ensure that third parties address risks in a timely and satisfactory manner.

5.19 c) “evaluating and selecting supplier’s products or services that have adequate information security controls and reviewing them; in particular, accuracy and completeness of controls implemented by the supplier that ensure integrity of the supplier’s information and information processing and hence the organization’s information security;”

The Prevalent Risk Profiling Snapshot enables you to compare and monitor demographics, fourth-party technologies, ESG scores, recent business and reputational insights, data breach history, and financial performance of potential vendors. With the Snapshot, you can see results in line with RFx responses for a holistic view of suppliers – their fit for purpose and fit according to your organization’s risk appetite.

5.19 g) “monitoring compliance with established information security requirements for each type of supplier and type of access, including third-party review and product validation;”

5.19 h) mitigating non-compliance of a supplier, whether this was detected through monitoring or by other means;

With Prevalent, auditors can establish a program to efficiently achieve and demonstrate compliance. The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, recommending remediations, and generating reports for dozens of government regulations and industry frameworks.

Prevalent automatically maps information gathered from control-based assessments to ISO and other regulatory frameworks and validates it with continuous monitoring, enabling you to quickly visualize and address important compliance requirements.

5.19 i) “ handling incidents and contingencies associated with supplier products and services including responsibilities of both the organization and suppliers;”

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact supply chain breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

5.19 j) “resilience and, if necessary, recovery and contingency measures to ensure the availability of the supplier’s information and information processing and hence the availability of the organization’s information;”

Prevalent automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to ISO and other control frameworks.

To complement business resilience assessments and validate results, Prevalent:

  • Automates continuous cyber monitoring that may predict possible third-party business impacts
  • Accesses qualitative insights from over 550,000 public and private sources of reputational information that could signal vendor instability
  • Taps into financial information from a global network of 2 million businesses to identify vendor financial health or operational concerns

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:

  • Categorize suppliers according to their risk profile and criticality to the business
  • Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
  • Centralize system inventory, risk assessments, RACI charts, and third parties
  • Ensure consistent communications with suppliers during business disruptions.

5.19 m) “requirements to ensure a secure termination of the supplier relationship, including:

1) de-provisioning of access rights;
2) information handling;
3) determining ownership of intellectual property developed during the engagement;
4) information portability in case of change of supplier or insourcing;
6) records management;
7) return of assets;
8) secure disposal of information and other associated assets;
9) ongoing confidentiality requirements”

The Prevalent Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

  • Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.
  • Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.
  • Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.
  • Take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.
  • Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework.

5.20 Addressing security within supplier agreements

"Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship."

5.20 d) “legal, statutory, regulatory and contractual requirements, including data protection, handling of personally identifiable information (PII), intellectual property rights and copyright and a description of how it will be ensured that they are met;”

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts, ensuring that key provisions are included in supplier contracts and continually tracked.

Key capabilities include:

  • Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
  • Automated reminders and overdue notices to streamline contract reviews
  • Centralized contract discussion and comment tracking
  • Contract and document storage with role-based permissions and audit trails of all access
  • Version control tracking that supports offline contract and document edits
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

5.20 e) "obligation of each contractual party to implement an agreed set of controls, including access control, performance review, monitoring, reporting and auditing, and the supplier’s obligations to comply with the organization’s information security requirements;”

The Prevalent solution enables internal, control-based assessments (based on the ISO industry standard framework and/or custom questionnaires). The platform includes built-in workflow capabilities that enable assessors to interact efficiently with third parties during the due diligence collection and review periods. Robust reporting and audit capabilities give each level of management the information it needs to properly review the third party's performance.

Organizations can assess third parties against cybersecurity, SLA performance, and other topics, and correlate findings with the results of continuous outside monitoring for a complete view of risks.

5.20 h) “information security requirements regarding the supplier’s ICT infrastructure; in particular, minimum information security requirements for each type of information and type of access to serve as the basis for individual supplier agreements based on the organization’s business needs and risk criteria;”

5.20 i) “indemnities and remediation for failure of contractor to meet requirements;”

Prevalent provides a framework for centrally measuring third-party KPIs and KRIs against your requirements and reducing gaps in vendor oversight with embedded machine learning (ML) insights and customizable, role-based reports.

The capabilities can help your team to uncover risk and performance trends, determine third-party risk status, and identify exceptions to common behavior that could warrant further investigation.

Built-in remediation recommendations ensure that third parties address risks in a timely and satisfactory manner.

5.20 j) “incident management requirements and procedures (especially notification and collaboration during incident remediation);”

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents as part of your broader incident management strategy.

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging Prevalent experts.

5.20 l) “relevant provisions for sub-contracting, including the controls that need to be implemented, such as agreement on the use of sub-suppliers (e.g. requiring to have them under the same obligations of the supplier, requiring to have a list of sub-suppliers and notification before any change);”

Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk.

Suppliers discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

This approach provides insights to address potential technology or geographic concentration risk.

5.20 o) “the evidence and assurance mechanisms of third-party attestations for relevant information security requirements related to the supplier processes and an independent report on effectiveness of controls;”

5.20 q) “supplier’s obligation to periodically deliver a report on the effectiveness of controls and agreement on timely correction of relevant issues raised in the report;”

The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.

Prevalent experts first review assessment responses, whether from custom or standardized questionnaires. We then map the responses to ISO and/or other control frameworks. Finally, we work with you to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help you reduce risk with your existing resources.

5.20 x) “termination clauses upon conclusion of the agreement including records management, return of assets, secure disposal of information and other associated assets, and any ongoing confidentiality obligations;”

5.20 y) provision of a method of securely destroying the organization’s information stored by the supplier as soon as it is no longer required;”

5.20 z) ensuring, at the end of the contract, handover support to another supplier or to the organization itself;”

Prevalent contract lifecycle management capabilities ensure that key provisions are included in supplier contracts and continually tracked. Automated contract assessments and offboarding procedures such as reporting on system access, data destruction, access management, compliance with all relevant laws, and final payments reduce your organization’s risk of post-contract exposure.

5.21 Managing information security in the ICT supply chain

"Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain."

5.21 b) “requiring that ICT services suppliers propagate the organization’s security requirements throughout the supply chain if they sub-contract for parts of the ICT service provided to the organization;”

5.21 c) “requiring that ICT products suppliers propagate appropriate security practices throughout the supply chain if these products include components purchased or acquired from other suppliers or other entities (e.g. sub-contracted software developers and hardware component providers);”

5.21 f) “implementing a monitoring process and acceptable methods for validating that delivered ICT products and services comply with stated security requirements. Examples of such supplier review methods can include penetration testing and proof or validation of third-party attestations for the supplier’s information security operations;”

Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure.

The resulting relationship map depicts information paths and dependencies that could expose your environment to risk.

Suppliers discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

This approach provides insights to address potential technology or geographic concentration risk.

5.21 g) “implementing a process for identifying and documenting product or service components that are critical for maintaining functionality and therefore require increased attention, scrutiny and further follow up required when built outside of the organization especially if the supplier outsources aspects of product or service components to other suppliers;”

Prevalent enables you to assess and monitor third parties based on criticality or the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

5.22 Monitoring, review and change management of supplier services

“The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.”

5.22 a) “monitor service performance levels to verify compliance with agreements;”

With the Prevalent Platform, organizations can customize surveys to make it easy to gather and analyze necessary performance and contract data in a single risk register. Prevalent identifies key contract attributes relating to SLAs or performance, populates those requirements in the Platform, and assigns tasks to you and your third party for tracking purposes.

5.22 b) “monitor changes made by suppliers including:

1) enhancements to the current services offered;
2) development of any new applications and systems;
3) modifications or updates of the supplier’s policies and procedures;
4) new or changed controls to resolve information security incidents and to improve information security;”

5.22 c) “monitor changes in supplier services including:

1) changes and enhancement to networks;
2) use of new technologies;
3) adoption of new products or newer versions or releases;
4) new development tools and environments;
5) changes to physical location of service facilities;
6) change of sub-suppliers;
7) sub-contracting to another supplier;”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world

Because not all threats are direct cyberattacks, Prevalent also incorporates data from the following sources to add context into cyber findings:

  • 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
  • A global network of 2 million businesses with 5 years of organizational changes and financial performance, including turnover, profit and loss, shareholder funds, etc.
  • 30,000 global news sources
  • A database containing over 1.8 million politically exposed person profiles
  • Global sanctions lists and over 1,000 global enforcement lists and court filings

5.22 e) “conduct audits of suppliers and sub-suppliers, in conjunction with review of independent auditor’s reports, if available and follow-up on issues identified;”

The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.

Prevalent experts first review assessment responses, whether from custom or standardized questionnaires. We then map the responses to ISO and/or other control frameworks. Finally, we work with you to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help you reduce risk with your existing resources.

5.22 f) “provide information about information security incidents and review this information as required by the agreements and any supporting guidelines and procedures;”

5.22 g) “review supplier audit trails and records of information security events, operational problems, failures, tracing of faults and disruptions related to the service delivered;”

5.22 h) “respond to and manage any identified information security events or incidents;”

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance.

Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactively vendor reporting
  • Consolidated views of risk ratings, counts, scores, and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Guidance from built-in remediation recommendations to reduce risk
  • Built-in report templates
  • Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

5.22 i) “identify information security vulnerabilities and manage them;”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, correlating monitoring data with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for

5.22 j) “review information security aspects of the supplier’s relationships with its own suppliers”

Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk.

Suppliers discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

5.22 k) ensure that the supplier maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster;”

Prevalent automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to ISO and other control frameworks.

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:

  • Categorize suppliers according to their risk profile and criticality to the business
  • Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
  • Centralize system inventory, risk assessments, RACI charts, and third parties
  • Ensure consistent communications with suppliers during business disruptions

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

5.22 m) “evaluate regularly that the suppliers maintain adequate information security levels;”

Prevalent automates risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.

With a library of 200+ standardized assessments, customization capabilities, and built-in workflow and remediation, the solution automates everything from survey collection and analysis to risk rating and reporting.

With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment.

Results of assessments and continuous monitoring are collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

ISO 27036-2 Controls How We Help

6 Information security in supplier relationship management

6.1.1.1 Agreement processes / Acquisition process / Objective

Establish a supplier relationship strategy that:

  • is based on the information security risk tolerance of the acquirer;
  • defines the information security foundation to use when planning, preparing, managing and terminating the procurement of a product or service.

6.1.2.1 Agreement processes / Supply process / Objective

Establish an acquirer relationship strategy that:

  • is based on the information security risk tolerance of the supplier;
  • defines the information security baseline to use when planning, preparing, managing and terminating the supply of a product or service.

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, risk and compliance programs based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

As part of this process, Prevalent can help you define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Assessment and monitoring methodologies based on third-party criticality
  • Fourth-party mapping
  • Sources of continuous monitoring data (cyber, business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Governing policies, standards, systems and processes to protect data
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

6.2.1 Organizational project-enabling processes / Life cycle model management process

a) The acquirer and the supplier shall establish the life cycle model management process when managing information security in supplier relationships.

Prevalent helps to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties across the entire vendor risk lifecycle – from sourcing and selection to offboarding and everything in between.

6.2.2.1 Organizational project-enabling processes / Infrastructure management process / Objective

a) Provide the enabling infrastructure to support the organization in managing information security within supplier relationships.

Prevalent provides a central SaaS platform that enables acquirers and suppliers to collaborate on risk reduction by automating risk assessments against more than 200 industry standards – including ISO. With the platform acquirers gain built-in workflow and remediation, automated analysis and reporting.

6.2.2.2 Organizational project-enabling processes / Infrastructure management process / Activities

b) Define, implement, maintain and improve contingency arrangements to ensure that the procurement or the supply of a product or service can continue in the event of its disruption caused by natural or man-made causes.

Prevalent automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to ISO and other control frameworks.

To complement business resilience assessments and validate results, Prevalent:

  • Automates continuous cyber monitoring that may predict possible third-party business impacts
  • Accesses qualitative insights from over 550,000 public and private sources of reputational information that could signal vendor instability
  • Taps into financial information from a global network of 2 million businesses to identify vendor financial health or operational concerns

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:

  • Categorize suppliers according to their risk profile and criticality to the business
  • Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
  • Centralize system inventory, risk assessments, RACI charts, and third parties
  • Ensure consistent communications with suppliers during business disruptions

6.2.3.2 Project portfolio management process / Activities

a) Define, implement, maintain and improve a process for identifying and categorizing suppliers or
acquirers based on the sensitivity of the information shared with them and on the access level granted to them to acquirer’s or supplier’s assets, such as information and information systems;

Prevalent enables you to assess and monitor third parties based on criticality or the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

6.3.4.1 Project processes / Risk management process / Objective

a) Continuously address information security risks in supplier relationships and throughout their life cycle including re-examining them periodically or when significant business, legal, regulatory, architectural, policy and contractual changes occur.

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world

Because not all threats are direct cyberattacks, Prevalent also incorporates data from the following sources to add context into cyber findings:

  • 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
  • A global network of 2 million businesses with 5 years of organizational changes and financial performance, including turnover, profit and loss, shareholder funds, etc.
  • 30,000 global news sources
  • A database containing over 1.8 million politically exposed person profiles
  • Global sanctions lists and over 1,000 global enforcement lists and court filings

6.3.7.1 Project processes / Measurement process / Objective

a) Collect, analyze, and report information security measures related to the procurement or supply of a product or service to demonstrate the maturity of information security in a supplier relationship and to support effective management of processes.

Prevalent automates risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.

With a library of 200+ standardized assessments, customization capabilities, and built-in workflow and remediation, the solution automates everything from survey collection and analysis to risk rating and reporting.

With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment.

Results of assessments and continuous monitoring are collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

7 Information security in a supplier relationship instance

7.2.1 Supplier selection process / Objectives

a) Select a supplier that provides adequate information security for the product or service that may be procured.

The Prevalent Risk Profiling Snapshot enables you to compare and monitor demographics, fourth-party technologies, ESG scores, recent business and reputational insights, data breach history, and financial performance of potential vendors. With the Snapshot, you can see results in line with RFx responses for a holistic view of suppliers – their fit for purpose and fit according to your organization’s risk appetite.

7.3.1 Supplier relationship management process / Objective

Establish and agree on a supplier relationship agreement addressing the following:
— information security roles and responsibilities of the acquirer and the supplier;
— security controls required across information security, ICT security, personnel security and physical security;
— a transition process when the product or service has been previously operated or manufactured by a party different from the supplier;
— information security change management;
— information security incident management;
— compliance monitoring and enforcement;
— a termination process.

The Prevalent Platform automates workflows required to assess, manage, continuously monitor and remediate third-party security, privacy, compliance, and procurement/supply chain-related risks across every stage of the vendor lifecycle. The solution:

  • Automates vendor onboarding and offboarding
  • Profiles, tiers, scores inherent risk for all suppliers
  • Automates fourth party mapping and vendor demographics in a central profile
  • Delivers the largest library of standardized and custom risk assessments with built-in workflow, tasks, and evidence management
  • Integrates native cyber, business, reputational and financial risk monitoring to correlate risks against assessment results and validate findings
  • Includes machine learning analytics to normalize and correlate findings from multiple sources
  • Delivers compliance and risk reporting by framework or regulation
  • Improves remediation management with built-in guidance
  • Includes Contract and RFx management to enable more complete risk management prior to onboarding
  • Automates third-party incident response

7.4.1 Supplier relationship management process / Objectives

a) Maintain information security during the execution period of the supplier relationship in accordance with the supplier relationship agreement and by particularly considering the following:

4) Monitor and enforce compliance of the supplier with information security provisions defined in the supplier relationship agreement.

With the Prevalent Platform, acquirers can automatically map information gathered from control-based assessments to regulatory frameworks – including ISO and many others – to quickly visualize and address important compliance requirements at every stage of the supplier lifecycle.

7.5.1 Supplier relationship termination process / Objectives

a) Protect the product or service supply during termination to avoid any information security, legal and regulatory impacts after the notice of termination;

b) Terminate the product or service supply in accordance to the termination plan.

The Prevalent Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

  • Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.
  • Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.
  • Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.
  • Take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.
  • Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework.

Align Your TPRM Program with ISO, NIST, SOC 2 and More

Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook cybersecurity
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo