Free TPRM tools: Get a free maturity assessment, a free risk report, or business & financial monitoring for 20 vendors!

Hero  Image  Solutions  Compliance  Iso 27001

ISO 27001, 27002, 27018, 27036-2 and 27701

ISO and Third-Party Risk Management

The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations. Founded in 1947, the organization promotes worldwide proprietary, industrial and commercial standards.

The ISO 27001, 27002, 27018, and 27036-2 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

  • ISO 27001 is the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system.

  • ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.

  • ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”

  • ISO 27036-2 specifies information security requirements for "defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships."

  • ISO 27701 was the first international standard on privacy information management, which helps organizations to demonstrate the methods and controls used in protecting both their internal and customers’ personal data.

With respect to managing information security in supplier relationships, Section 15 of 27001 and 27002, and Clauses 6 and 7 of 27036-2 summarize the requirements for securely dealing with various types of third parties.

Relevant Requirements

  • Create an information security policy for supplier relationships that outlines specific policies and procedures and mandates specific controls be in place to manage risk

  • Establish contractual supplier agreements for any third party that may access, process, store, communicate or provide IT infrastructure to an organization’s data

  • Include requirements to address the information security risks associated with information and communications technology services and product supply chain

  • Monitor, review and audit supplier service delivery

  • Manage changes to the supplier services, considering re-assessment of risks

Satisfying Third-Party Risk Management Compliance Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.

Read the White Paper
Featured resource compliance white paper

Meeting ISO 27001, 27002, 27018, 27036-2 & 27701 TPRM Standards

Here's how Prevalent can help you address ISO third-party risk management standards:

ISO 27001 / 27002 Requirements

How We Help

15.1 Information security in supplier relationships

"Objective: To ensure protection of the organization’s assets that are accessible by suppliers."

The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the supplier risk assessment process and determine third-party compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

15.1.1 Information security policy for supplier relationships

"Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented."

The Prevalent Third-Party Risk Management platform provides a complete solution for performing assessments and an environment to include and manage documented due-diligence evidence.

15.1.2 Addressing security in supplier agreements

"The organization should specify in agreements with suppliers whether PII is processed and the minimum technical and organizational measures that the supplier needs to meet in order for the organization to meet its information security and PII protection obligations. All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information."

The Prevalent Privacy Information Management Survey (PIMS) provides organizations with a comprehensive assessment based around the ISO/IEC 27701:2019 standard for privacy information management, leveraging the structure and framework of the ISO 27001:2013 standard’s security controls. This brings together a detailed assessment on how an organization has implemented information security controls and applied additional privacy-based controls to manage and support the products and services being provided.

The survey has been designed such that specific sections are used depending on the role an organization plays (that of a PII processor or PII controller). This survey can be used by PII controllers (including those that are joint PII controllers) and PII processors.

15.1.2 (d)

"obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;"

The Prevalent solution enables internal control-based assessments (based on industry standard framework questionnaires and/or custom questionnaires). The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods. Robust reporting and audit capabilities give each level of management the information it needs to properly review the third party's performance.

15.1.2 (m)

"right to audit the supplier processes and controls related to the agreement;"

The Prevalent Assessment solution provides a simple, trackable, repeatable mechanism to perform controls audits.

15.1.2 (n)

"defect resolution and conflict resolution processes;"

Bi-directional workflow in the Prevalent Assessment platform includes built-in discussion tools to enable communication with suppliers on remediating issues.

15.1.2 (p)

"supplier’s obligations to comply with the organization’s security requirements."

The Prevalent Assessment solution ensures suppliers implement the exact, agreed-upon requirements with regular tracking and verification.

15.1.3 Information and communication technology supply chain

"Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain."

Prevalent’s TPRM platform provides a complete set of internal and external assessment and monitoring services to ensure a full view of a supplier's information, communications and product supply chain security posture.

15.1.3 (d)

"implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;"

The Prevalent solution includes a mechanism to perform reviews; monitor compliance with agreed policies; and audit and generate regular reports for all levels of management.

15.2 Supplier service delivery management

15.2.1 Monitoring and review of supplier services

"Organizations should regularly monitor, review and audit supplier service delivery. Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly."

The Prevalent TPRM Platform unifies internal control-based assessments (based on industry standard framework questionnaires and/or custom questionnaires) with continuous vendor threat monitoring to deliver a holistic security risk rating, enabling organizations to zero-in on the most important or impactful risks.

The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods.

15.2.1 (c)

"conduct audits of suppliers, in conjunction with review of independent auditor’s reports, if available, and follow-up on issues identified;"

The Prevalent platform provides a simple, trackable, repeatable mechanism to perform audits along with a workflow and shared communication mechanism to track issues to resolution.

15.2.1 (g)

"review information security aspects of the supplier’s relationships with its own suppliers;"

The Prevalent solution provides a detailed map to visualize all relationships for each entity and other business entities (e.g., vendors / departments / datasets). This capability enables organizations to monitor the relationships between third, fourth, and Nth parties.

ISO 27036-2 Requirements How We Help

6 Information security in supplier relationship management

6.1.1.1 Agreement processes / Acquisition process / Objective

a) Establish a supplier relationship strategy that:
1) Is based on the information security risk tolerance of the acquirer;
2) Defines the information security foundation to use when planning, preparing, managing and terminating the procurement of a product or service.

Prevalent Vendor Risk Intelligence Networks provide instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information. With these insights in hand, procurement teams can contract with vendors that meet their organization’s risk tolerance levels and easily compare vendors against common security criteria.

6.2.1 Organizational project-enabling processes / Life cycle model management process

a) The acquirer and the supplier shall establish the life cycle model management process when managing information security in supplier relationships.

Prevalent helps to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties across the entire vendor risk lifecycle – from sourcing and selection to offboarding and everything in between.

6.2.2.1 Organizational project-enabling processes / Infrastructure management process / Objective

a) Provide the enabling infrastructure to support the organization in managing information security within supplier relationships.

Prevalent provides a central SaaS platform that enables acquirers and suppliers to collaborate on risk reduction by automating risk assessments against more than 75 industry standards – including ISO. With the platform acquirers gain built-in workflow and remediation, automated analysis and reporting.

6.3.4.1 Project processes / Risk management process / Objective

a) Continuously address information security risks in supplier relationships and throughout their life cycle including re-examining them periodically or when significant business, legal, regulatory, architectural, policy and contractual changes occur.

Prevalent [Vendor Threat Monitor](/products/vendor-risk-monitoring/] continuously tracks and analyzes threats to your third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

The solution is backed by a dedicated and custom contract assessment questionnaire that enables comprehensive reviews by identifying potential breaches of contract and other risks as the relationship progresses.

6.3.7.1 Project processes / Measurement process / Objective

a) Collect, analyze, and report information security measures related to the procurement or supply of a product or service to demonstrate the maturity of information security in a supplier relationship and to support effective management of processes.

With Prevalent, acquirers can reveal supplier cyber incidents by monitoring 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.

These results can then be correlated against completed risk assessments for a more complete picture of a supplier’s risk posture. With these insights, acquirers have a central risk register to manage recommended remediations and report on progress.

7 Information security in a supplier relationship instance

7.2.1 Supplier selection process / Objectives

a) Select a supplier that provides adequate information security for the product or service that may be procured.

Prevalent Vendor Risk Intelligence Networks provide instant access to thousands of completed, industry-standard vendor risk profiles offering real-time security, reputational and financial information. With these insights in hand, procurement teams can contract with vendors that meet their organization’s risk tolerance levels and easily compare vendors against common security criteria.

7.4.1 Supplier relationship management process / Objectives

a) Maintain information security during the execution period of the supplier relationship in accordance with the supplier relationship agreement and by particularly considering the following:
4) Monitor and enforce compliance of the supplier with information security provisions defined in the supplier relationship agreement.

With the Prevalent Platform, acquirers can automatically map information gathered from control-based assessments to regulatory frameworks – including ISO and many others – to quickly visualize and address important compliance requirements at every stage of the supplier lifecycle.

7.5.1 Supplier relationship termination process / Objectives

a) Protect the product or service supply during termination to avoid any information security, legal and regulatory impacts after the notice of termination;
b)Terminate the product or service supply in accordance to the termination plan.

The Prevalent Third-Party Risk Management Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.

ISO 27018 Requirements How We Help

15 Supplier Relationships

"The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 apply."

Cloud providers must be treated in the same vein as other third-party supplier relationships. The platform delivers a 360-degree view of supplier risk, including cloud providers, with clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making.

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo