ISO 27001 - Annex A.15: Supplier Relationships
What is the objective of Annex A.15.1 of ISO 27001:2013?
Annex A.15.1 is about information security in supplier relationships. The objective here is protection of the organisation’s valuable assets that are accessible to or affected by suppliers. We also recommend that you also consider other key relationships here too, for example partners if they are not suppliers but also have an impact on your assets that might not simply be covered by a contract alone. This is an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.15.1.1 Information Security Policy for Supplier Relationships
Suppliers are used for two main reasons; one: you want them to do work that you have chosen not to do internally yourself, or; two: you can’t easily do the work as well or as cost effectively as the suppliers.
There are many important things to consider in approach to supplier selection and management but one size does not fit all and some suppliers will be more important than others. As such your controls and policies should reflect that too and a segmentation of the supply chain is sensible; we advocate four categories of supplier based on the value and risk in the relationship. These range from those who are business critical through to other vendors who have no material impact on your organisation.
Some suppliers are also more powerful than their customers (imagine telling Amazon what to do if you are using their AWS services for hosting) so it’s pointless having controls and policies in place that the suppliers will not adhere to. Therefore reliance on their standard policies, controls and agreements is more likely – meaning the supplier selection and risk management becomes even more important.
In order to take a more forward approach to information security in the supply chain with the more strategic (high value / higher risk) suppliers, organisations should also avoid binary ‘comply or die’ risk transferring practises e.g. awful contracts preventing good collaboration. Instead we recommend they develop more close working relationships with those suppliers where thigh value information and assets are at risk, or they are adding to your information assets in some (positive) way. This is likely to lead to improved working relationships, and therefore deliver better business results too.
A good policy describes the supplier segmentation, selection, management, exit, how information assets around suppliers are controlled in order to mitigate the associated risks, yet still enable the business goals and objectives to be achieved. Smart organisations will wrap their information security policy for suppliers into a broader relationship framework and avoid just concentrating on security per se, looking to the other aspects as well.
An organisation may want suppliers to access and contribute to certain high value information assets (e.g. software code development, accounting payroll information). They would therefore need to have clear agreements of exactly what access they are allowing them, so they can control the security around it. This is especially important with more and more information management, processing and technology services being outsourced. That means having a place to show management of the relationship is happening; contracts, contacts, incidents, relationship activity and risk management etc. Where the supplier is also intimately involved in the organisation, but may not have its own certified ISMS, then ensuring the supplier staff are educated and aware of security, trained on your policies etc is also worth demonstrating compliance around.
A.15.1.2 Addressing Security Within Supplier Agreements
All relevant information security requirements must be in place with each supplier that has access to or can impact the organisation’s information (or assets that process it). Again this should not be a one size fits all – take a risk based approach around the different types of suppliers involved and work they do.
Working with suppliers that already meet the majority of your organisations information security needs for the services they provide to you and have a good track record of addressing information security concerns responsibly is a very good idea – as it will make all of these processes much easier. In simple terms, look for suppliers that already have achieved an independent ISO 27001 certification or equivalent themselves.
It is also important to ensure that the suppliers are being kept informed and engaged with any changes to the ISMS or specifically engaged around the parts that affect their services. Your auditor will want to see this evidenced – so, by keeping a record of this in your supplier on-boarding projects or annual reviews it will be easy to do so. Things to include in the supply scope and agreements generally include: the work and its scope; information at risk and classification; legal and regulatory requirements e.g. adherence to GDPR and or other applicable legislation; reporting and reviews; non disclosure; IPR; incident management; specific policies to comply with if important to the agreement; obligations on subcontractors; screening on staff etc. A good standard contract will deal with these points but as above, sometimes it might not be required, and could be way over the top for the type of supply, or it might not be possible to force a supplier to follow your idea of good practice. Be pragmatic and risk centred in the approach.
This control objective also ties in closely with Annex A.13.2.4 where confidentiality and non-disclosure agreements are the main focus.
A.15.1.3 Information & Communication Technology Supply Chain
A good control builds on A.15.1.2 and is focused on the ICT suppliers who may need something in addition or instead of the standard approach. ISO 27002 advocates numerous areas for implementation and whilst these are all good, some pragmatism is needed as well. The organisation should again recognise its size compared to some of the very large providers that it will sometimes be working with (e.g. datacentres & hosting services, banks etc), therefore potentially limiting its ability to influence practices further into the supply chain. The organisation should consider carefully what risks there may be based upon the type of information and communication technology services that are being provided. For example, if the supplier is a provider of infrastructure critical services, and has access to sensitive information (e.g. source code for the flagship software service) it should ensure there is greater protection than if the supplier is simply exposed to publicly available information (e.g. a simple website).
What is the objective of Annex A.15.2 of ISO 27001:2013?
Annex A.15.2 is about supplier service development management. The objective in this Annex A control is to ensure that an agreed level of information security and service delivery is maintained in line with supplier agreements.
A.15.2.1 Monitoring & Review of Supplier Services
A good control builds on A15.1 and describes how organisations regularly monitor, review and audit their supplier service delivery. Conducting reviews and monitoring is best done based on the information at risk – as a one size approach will not fit all. The organisation should aim to conduct its reviews in line with the proposed segmentation of suppliers in order to therefore optimise their resources and make sure that they focus effort on monitoring & reviewing where it will have the most impact. As with A15.1, sometimes there is a need for pragmatism – you are not necessarily going to get an audit, human relationship review and dedicated service improvements with AWS if you are a very small organisation. You could however check (say) their annually published SOC II reports and security certifications remain fit for your purpose.
Evidence of monitoring should be completed based on your power, risks and value, thus allowing your auditor to be able to see that it has been completed, and that any necessary changes have been managed through a formal change control process.
A.15.2.2 Managing Changes to Supplier Services
A good control describes how any changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, are managed. It takes into account the criticality of business information, the nature of the change, the supplier type/s affected, the systems and processes involved and a re-assessment of risks. Changes to suppliers services should also take into account the intimacy of the relationship and the organisation’s ability to influence or control change in the supplier.
Depending on the nature of the change (i.e. for more material changes) there may be a broader requirement to align with A.6.1.5 information Security in Project Management.
How does ISMS.online help with Supplier Relationships?
ISMS.online has made this control objective very easy by providing evidence that your relationships are carefully elected, managed well in life including being monitored and reviewed. Our easy-to-use Accounts relationships (e.g. supplier) area does just that. The collaborative projects workspaces is great for important supplier onboarding, joint initiatives, offboarding etc all of which the auditor can also view with ease when required. ISMS.online has also made this control objective easier for your organisation by enabling you to provide evidence that the supplier has formally committed to complying with the requirements and has understood its responsibilities for information security through our Policy Packs. Policy Packs are ideal where the organisation has specific policies & controls it wants supplier staff to follow and take confidence they have read them and committed to comply – beyond the broader agreements between customer and supplier.
“While we had an understanding of the technical requirements of ISO 27001, it was ISMS.online that helped to bring it all alive quickly with structure and pre-built tools that enabled us to embed the ISMS across our international sites ”
Franchere Chan – Information Security Lead at Dubber
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement