Supply Chain Security – Tick box compliance no longer enough

Phil Lewis of Alliantist describes how data protection regulations are driving big changes in the way we approach supplier security and compliance.

Compliance is moving away from the contractual but trust based and tick box Information Security Management assurance, towards a more contextual, risk-focused and demonstrable compliance.

This long overdue transition is being driven, in part, by data protection regulations such as the General Data Protection Regulation (GDPR) in Europe, and New York State Department of Financial Services (NYS DFS) 500 in the US.

Directly addressing Supply Chain Security, Article 28 of GDPR makes the Data Controller accountable for only choosing Data Processors that can guarantee their technical and organisational measures will ensure data processing meets the requirements of GDPR to ensure the protection of the rights of the Data Subject. It explicitly cites compliance with Article 32 Security of Processing measures.

Although targeted at the Financial Services sector NYS DFS Section 500.11 – Third Party Service Provider Security Policy, requires a ‘Covered Entity’s’ policies and procedures to be based on the Risk_assessment”>Risk Assessment.

It is not dissimilar to GDPR in requiring the minimum cybersecurity practices be met, due diligence processes are used to evaluate the adequacy of cybersecurity practices and periodic assessment takes place based on the risk they present and the continued adequacy of their cybersecurity practices.

Consequently, key regulatory stakeholders, such as the European Network and Information Security Agency (ENISA) are seeing Security in the Supply Chain as a significant Data Protection risk globally. Their recent report, Cyber Insurance: Recent advances, Good Practices and Challenges highlights only 23% of organisations assess suppliers for cyber risk.

And, in the US, the National Institute for Standards and Technology (NIST) released the latest draft of the Framework for Improving Critical Infrastructure Cybersecurity also known as the NIST Cybersecurity framework, which has a:

“Greatly expanded explanation of using Framework for Cyber Supply Chain Risk Management (SCRM) purposes:

An expanded Section 3.3 Communicating Cybersecurity Requirements with Stakeholders help users better understand Cyber SCRM. Cyber SCRM has also been added as a property of Implementation Tiers. Finally, a Supply Chain Risk Management Category has been added to the Framework Core”

See how simple it is with

Meeting supply chain management regulatory requirements

In Section 3.2.6 of the ENISA report, they recommend that, as per ISO 27001 Control objectives and specifically Annex A.15 controls, stakeholders such as insurers, customers, investors, and regulators, verify the existence of a formal third party management process, and receive details on due diligence, ongoing oversight, and contractual obligations.

In the absence of approved GDPR Codes of Conduct, a Data Processor’s (or other critical supplier’s) ability to prove compliance with Article 32 Security processing requirements can be achieved by implementing and ideally securing ISO 27001 accreditation. This allows them to demonstrate contextual risk identification and management capabilities and the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

Equally applicable to NYS DFS, in its latest draft of the “foundational” Identify framework function, NIST also reference the same ISO 27001 Control objectives and Annex A.15 controls for its Identify Supply Chain Risk Management category, as well as other ISO Control objectives and Annex A controls for all of the other key Identify Categories of:

  • Asset Management;
  • Business Environment;
  • Governance;
  • Risk Assessment; and
  • Risk Management Strategy.

Therefore, whether you choose to implement all of ISO 27001 or just key controls around contextual risk identification and management, it is clear the ISO 27001 A.15 controls to manage Supplier (and Other Important Relationships) offer an effective means of describing how you manage Security in the Supply Chain for both GDPR and NYS DFS 500.

But how do you cost effectively and quickly demonstrate it?

How to prove management of Security in the Supply Chain

Large enterprises need to move beyond the traditional, comply or die, supplier questionnaires and contracts that encourage a tick box response, the accuracy of which will only be tested once an incident has happened, by which time it’s often too late.

Whilst you may be happy you have a watertight contract in place, it’s unlikely your investors, customers and, with GDPR compliance almost upon us, the regulators, will be quite so understanding if you have simply relied on questionnaires and contracts. They will be looking to see that you have engaged and collaborated with your supply chain and have a mechanism for evidencing that agreed/mandated standards, and or specific policies and controls, are working in practice and not just on paper.

Using online tools, such as allow you to evidence your effective supply chain management and how it integrates with your risk management, audits, and controls.

Beyond that, it allows you to collaborate effectively online with key suppliers, taking a responsible customer approach that helps even the smallest of suppliers achieve appropriate security measures. Encouraging them to take positive, pragmatic, but risk- focused steps will allow them to protect their and your information assets in line with your own policies and controls.

Working together you can build an ISMS and Supply Chain everyone can trust.