Building stable, secure supplier relationships with ISO 27001

If you ask Mark Graham, our ISO Standards head, about the benefits of ISO 27001, there’s one point he always ends up making. ISO 27001, and in fact the whole ISO 27000 family, are about far more than just information security. They’ll help you:

  • Run your organisation well
  • Think through everything that could stop you from running your organisation well

Of course, that’s not always obvious. But sometimes it just leaps out at you. Annex A.15 of ISO 27001 is one of those moments. It’s all about securing and strengthening your organisation’s supplier relationships.

So a supplier messes up. What’s the worst that could happen?

Back in 2017, one of the big airlines’ IT systems collapsed. 75,000 customers were stranded. Planes were left circling in midair. The airline lost £170 million and faced a compensation bill of more than £150 million. And it was a reputational catastrophe.

The root cause of the incident was an internal power failure. Well-informed observers believe it snowballed into a disaster because the airline had recently outsourced some of their IT operations. Their new supplier let them down and their disaster recovery plan failed.

Nobody remembers the supplier. Most people don’t even know that they exist. But because of them, the airline took severe reputational and financial damage. That’s the kind of damage most businesses would go a long way to avoid. Which is where Annex A.15 will help you.

Strengthening your supplier relationships

Annex A.15 is quite short, but it can have a very big impact. It needs you to make sure that:

  • You’re protecting any information assets your suppliers can access
  • They’ll keep on delivering all the services they’ve agreed to, no matter what

You can see how that would have helped our disrupted airline! And even if you’re not ISO 27001 compliant or certified, you can use Annex A.15 to help you make some very important supplier checks.

Protecting your information assets

You might be sharing information assets with your suppliers. If that’s the case, you should:

  • Work out how your suppliers can safely access your information assets
  • Agree that process with them, making sure they understand every part of it
  • Document the process in a way that’s easy for you and them to access
  • Include your infosec requirements in your formal agreements with them

And, like the airline, you’ll probably have organisations supplying ICT products or services. You’ll need to make sure that whatever they supply meets your infosec requirements too.

Making sure your suppliers always deliver

ISO 27001’s is really about risk management. And your suppliers can be a key risk. It’s best to assume that some of them will, at some point, let you down. To offset that, the standard asks you to keep a close eye on them. You should:

  • Keep a general ongoing eye on them
  • Regularly check they’re delivering on time and in full
  • Every so often, properly assess them against your:
    • Existing agreement with them
    • Changing needs and other circumstances

That could lead to changes in your relationship with them. ISO 27001 advises you to have a clear process in place for making and managing those changes. In particular, focus on:

  • Keeping your infosec policies, procedures and controls up to date
  • Maintaining affected critical business information, systems and processes
  • Making sure you re-assess any risks your changes impact on

That might seem like very basic, common sense advice. But it can save you and your organisation a lot of time, money, reputational damage and frustration. After all, common sense isn’t always as common as you’d think.

Securing your supply chain and your reputation

Your organisation’s reputation is one of its most important assets. It probably works hard to defend and build it. But a moment’s carelessness from someone completely unconnected with your organisation can damage or even destroy it.

That’s why you need to keep a close eye on your suppliers. And it’ll be good for them, too. They’ll want you to be sure they’re delivering the best possible service in the best possible way. And if they don’t, that’s probably your cue to start looking for someone else.

We hope the ISO 27001 guidance we’ve summarised above will help you with that whole process. And we hope it’s helped you understand the standard a little bit more, and see how it can bring some very practical benefits to your organisation.