Hero  Image  Solutions  Compliance  Iso 27001

ISO 27001, 27002 and 27018 Compliance

ISO and Third-Party Risk Management

The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations. Founded in 1947, the organization promotes worldwide proprietary, industrial and commercial standards. The ISO 27001, 27002 and 27018 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

The ISO 27001, 27002 and 27018 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

  • ISO 27001 is the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system.

  • ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.

  • ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”

With respect to managing information security in supplier relationships, Section 15 of 27001 and 27002 summarizes the requirements for securely dealing with various types of third parties.

Relevant Requirements

  • Create an information security policy for supplier relationships that outlines specific policies and procedures and mandates specific controls be in place to manage risk

  • Establish contractual supplier agreements for any third party that may access, process, store, communicate or provide IT infrastructure to an organization’s data

  • Include requirements to address the information security risks associated with information and communications technology services and product supply chain

  • Monitor, review and audit supplier service delivery

  • Manage changes to the supplier services, considering re-assessment of risks

Satisfying Third-Party Risk Management Compliance Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.

Read the White Paper
Hero  Image  Solutions  Compliance  Compliance  Overview

Meeting ISO 27001 / 27002 / 27018 TPRM Standards

Here's how Prevalent can help you address ISO third-party risk management standards:

ISO 27001 / 27002 Requirements

How We Help

15.1 Information security in supplier relationships

"Objective: To ensure protection of the organization’s assets that are accessible by suppliers."

The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the supplier risk assessment process and determine third-party compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

15.1.1 Information security policy for supplier relationships

"Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented."

The Prevalent Third-Party Risk Management platform provides a complete solution for performing assessments and an environment to include and manage documented due-diligence evidence.

15.1.2 Addressing security in supplier agreements

"All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information."

The Prevalent Assessment solution ensures suppliers implement the exact, agreed upon requirements with regular tracking and verification.

15.1.2 (d)

"obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;"

The Prevalent solution enables internal control-based assessments (based on industry standard framework questionnaires and/or custom questionnaires). The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods. Robust reporting and audit capabilities give each level of management the information it needs to properly review the third party's performance.

15.1.2 (m)

"right to audit the supplier processes and controls related to the agreement;"

The Prevalent Assessment solution provides a simple, trackable, repeatable mechanism to perform controls audits.

15.1.2 (n)

"defect resolution and conflict resolution processes;"

Bi-directional workflow in the Prevalent Assessment platform includes built-in discussion tools to enable communication with suppliers on remediating issues.

15.1.2 (p)

"supplier’s obligations to comply with the organization’s security requirements."

The Prevalent Assessment solution ensures suppliers implement the exact, agreed-upon requirements with regular tracking and verification.

15.1.3 Information and communication technology supply chain

"Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain."

Prevalent’s TPRM platform provides a complete set of internal and external assessment and monitoring services to ensure a full view of a supplier's information, communications and product supply chain security posture.

15.1.3 (d)

"implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;"

The Prevalent solution includes a mechanism to perform reviews; monitor compliance with agreed policies; and audit and generate regular reports for all levels of management.

15.2 Supplier service delivery management

15.2.1 Monitoring and review of supplier services

"Organizations should regularly monitor, review and audit supplier service delivery. Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly."

The Prevalent TPRM Platform unifies internal control-based assessments (based on industry standard framework questionnaires and/or custom questionnaires) with continuous vendor threat monitoring to deliver a holistic security risk rating, enabling organizations to zero-in on the most important or impactful risks.

The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods.

15.2.1 (c)

"conduct audits of suppliers, in conjunction with review of independent auditor’s reports, if available, and follow-up on issues identified;"

The Prevalent platform provides a simple, trackable, repeatable mechanism to perform audits along with a workflow and shared communication mechanism to track issues to resolution.

15.2.1 (g)

"review information security aspects of the supplier’s relationships with its own suppliers;"

The Prevalent solution provides a detailed map to visualize all relationships for each entity and other business entities (e.g., vendors / departments / datasets). This capability enables organizations to monitor the relationships between third, fourth, and Nth parties.

ISO 27018 Requirements How We Help

15 Supplier Relationships

"The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 apply."

Cloud providers must be treated in the same vein as other third-party supplier relationships. The platform delivers a 360-degree view of supplier risk, including cloud providers, with clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making.

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo