JUST OUT: Read the 2019 Gartner Magic Quadrant for IT Vendor Risk Management

ISO 27001, 27002 and 27018 Compliance

Complying with ISO 27001 / 27002 / 27018 Standards

The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations. Founded in 1947, the organization promotes worldwide proprietary, industrial and commercial standards. The ISO 27001, 27002 and 27018 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO and Third-Party Risk Management

The ISO 27001, 27002 and 27018 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO 27001 is the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.

ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”    

With respect to managing information security in supplier relationships, Section 15 of 27001 and 27002 summarizes the requirements for securely dealing with various types of third parties. 

Relevant Guidance

Section 15 of ISO 27001 and 27002 provides the following guidance for managing suppliers:

  • Create an information security policy for supplier relationships that outlines specific policies and procedures and mandates specific controls be in place to manage risk
  • Establish contractual supplier agreements for any third party that may access, process, store, communicate or provide IT infrastructure to an organization’s data
  • Include requirements to address the information security risks associated with information and communications technology services and product supply chain
  • Monitor, review and audit supplier service delivery
  • Manage changes to the supplier services, considering re-assessment of risks

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Read Now

Meeting ISO 27001 / 27002 / 27018 Third-Party Risk Management Standards

Here's how Prevalent can help you address ISO third-party risk management standards:

ISO 27001:2013: Information Security Management Systems (ISMS) Requirements and ISO 27002:2013: Code of Practice for Information Security Controls

ISO 27001 / 27002 Requirements How Prevalent Helps

15.1 Information security in supplier relationships 

"Objective: To ensure protection of the organization’s assets that are accessible by suppliers."


The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the supplier risk assessment process and determine third-party compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels. 


15.1.1 Information security policy for supplier relationships

"Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented."


The Prevalent Third-Party Risk Management platform provides a complete solution for performing assessments and an environment to include and manage documented due-diligence evidence. 

15.1.2 Addressing security in supplier agreements

"All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information."


The Prevalent Assessment solution ensures suppliers implement the exact, agreed upon requirements with regular tracking and verification.

15.1.2 (d)

"obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;"


The Prevalent solution enables internal control-based assessments (based on industry standard framework questionnaires and/or custom questionnaires). The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods. Robust reporting and audit capabilities give each level of management the information it needs to properly review the third party's performance.


15.1.2 (m) 

"right to audit the supplier processes and controls related to the agreement;"


The Prevalent Assessment solution provides a simple, trackable, repeatable mechanism to perform controls audits.

15.1.2 (n) 

"defect resolution and conflict resolution processes;"


Bi-directional workflow in the Prevalent Assessment platform includes built-in discussion tools to enable communication with suppliers on remediating issues. 

15.1.2 (p)

"supplier’s obligations to comply with the organization’s security requirements."


The Prevalent Assessment solution ensures suppliers implement the exact, agreed-upon requirements with regular tracking and verification.

15.1.3 Information and communication technology supply chain

"Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain."


Prevalent’s TPRM platform provides a complete set of internal and external assessment and monitoring services to ensure a full view of a supplier's information, communications and product supply chain security posture.

15.1.3 (d) 

"implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;"


The Prevalent solution includes a mechanism to perform reviews; monitor compliance with agreed policies; and audit and generate regular reports for all levels of management.  

15.2 Supplier service delivery management

15.2.1 Monitoring and review of supplier services

"Organizations should regularly monitor, review and audit supplier service delivery. Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly."


The Prevalent TPRM Platform unifies internal control-based assessments (based on industry standard framework questionnaires and/or custom questionnaires) with continuous vendor threat monitoring to deliver a holistic security risk rating, enabling organizations to zero-in on the most important or impactful risks. 

The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods.


15.2.1 (c)

"conduct audits of suppliers, in conjunction with review of independent auditor’s reports, if available, and follow-up on issues identified;"


The Prevalent platform provides a simple, trackable, repeatable mechanism to perform audits along with a workflow and shared communication mechanism to track issues to resolution.

15.2.1 (g)

"review information security aspects of the supplier’s relationships with its own suppliers;"


The Prevalent solution provides a detailed map to visualize all relationships for each entity and other business entities (e.g., vendors / departments / datasets). This capability enables organizations to monitor the relationships between third, fourth, and Nth parties. 

ISO 27018:2019(E): Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

ISO 27018 Requirements How Prevalent Helps

15 Supplier Relationships

"The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 apply."


Cloud providers must be treated in the same vein as other third-party supplier relationships. The platform delivers a 360-degree view of supplier risk, including cloud providers, with clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making.

The Prevalent Difference

Prevalent’s Third-Party Risk Management Platform offers a complete framework for implementing policy management, auditing and reporting related to the third-party risk compliance requirements of ISO 27001, 27002 and 27018. Having strong Information Security Management Systems is part of the supplier lifecycle and requires a complete, internal view of the controls in place as well as continuous monitoring of all third parties. This cannot be addressed with a simple, external automated scan.