ISO 27701 Clause 6.12: Supplier Management Essentials
Forming and maintaining productive supplier relationships forms a large part of most modern data-based businesses – whether through the supply of equipment, support services or subcontracting.
From the outset of the relationship, and throughout the duration of the service contract, both parties need to be continually mindful of their obligations towards privacy information security, and standards should be aligned to safeguard PII and guarantee the integrity of sensitive information.
What’s Covered in ISO 27701 Clause 6.12
ISO 27701 Clause 6.12 is made up of two constituent parts:
- ISO 27701 6.12.1 – Information security in supplier relationships
- ISO 27701 6.12.2 – Supplier service delivery management
Across these two sections, there are 5 sub-clauses that contain guidance from ISO 27002, applied within the context of privacy information management and security:
- ISO 27701 6.12.1.1 – Information security policy for supplier relationships (ISO 27002 Control 5.19)
- ISO 27701 6.12.1.2 – Addressing security within supplier agreements (ISO 27002 Control 5.20)
- ISO 27701 6.12.1.3 – Information and communication technology supply chain (ISO 27002 Control 5.21)
- ISO 27701 6.12.2.1 – Monitoring and review of supplier services (ISO 27002 Control 5.22)
- ISO 27701 6.12.2.2 – Managing changes to supplier services (ISO 27002 Control 5.22)
Just one article contains guidance that is applicable towards UK GDPR legislation – (ISO 27701 6.12.1.2). The article numbers have been provided for your convenience.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
ISO 27701 Clause 6.12.1.1 – Protection of Test Data
References ISO 27002 Control 5.19
Organisations need to implement policies and procedures that not only govern the organisation’s use of supplier resources and cloud platforms, but also form the basis of how they expect their suppliers to conduct themselves prior to and throughout the term of the commercial relationship, particularly regarding PII and privacy-related assets.
ISO 27701 6.12.1.1 can be viewed as the essential qualifying document that dictates how privacy information governance is handled over the course of a supplier contract.
Organisations should:
- Maintain a record of supplier types that have the potential to affect privacy information security.
- Understand how to vet suppliers, based on varying risk levels.
- Identify suppliers that have pre-existing privacy information security controls in place.
- Identify areas of the organisation’s ICT infrastructure that suppliers will be able to access or view.
- Define how the suppliers’ own infrastructure can impact upon privacy protection.
- Identify and manage the privacy risks attached to:
- Use of confidential information.
- Use of protected assets.
- Faulty hardware or malfunctioning software.
- Monitor privacy information security compliance on a topic specific or supplier-type basis.
- Limit the any disruption caused as a result of non-compliance.
- Operate with an incident management procedure.
- Implement a thorough training plan that informs staff on how they should interact with suppliers.
- Take great care in transferring privacy information and physical and virtual assets between the organisation and suppliers.
- Ensure that supplier relationships are terminated with privacy information security in mind.
Organisations should use the above guidance when forming new relationships with suppliers, and consider non-adherence on a case-by-case basis.
ISO acknowledges that commercial relationships vary wildly from sector-to-sector and business to business, and gives organisations leeway by recommending the explorations of “compensating controls” that seek to achieve the same underlying privacy protection principles.
ISO 27701 Clause 6.12.1.2 – Addressing Security Within Supplier Agreements
References ISO 27002 Control 5.20
When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.
In doing so, organisations should:
- Offer a clear description that details the privacy information that needs to be accessed, and how that information is going to be accessed.
- Classify the privacy information to be accessed in accordance with an accepted classification scheme (see ISO 27002 Controls 5.10, 5.12 and 5.13).
- Give adequate consideration to the suppliers own classification scheme.
- Categorise rights into four main areas – legal, statutory, regulatory and contractual – with a detailed description of obligations per area.
- Ensure that each party is obligated to enact a series of controls that monitor, assess and manage privacy information security risk levels.
- Outline the need for supplier personnel to adhere to an organisation’s information security standards (see ISO 27002 Control 5.20).
- Facilitate a clear understanding of what constitutes both acceptable and unacceptable use of privacy information, and physical and virtual assets from either party.
- Enact authorisation controls that are required for supplier-side personnel to access or view an organisation’s privacy information.
- Give consideration to what occurs in the event of a breach of contract, or any failure to adhere to individual stipulations.
- Outline an Incident Management procedure, including how major events are communicated.
- Ensure that personnel are given security awareness training.
- (If the supplier is permitted to use subcontractors) add in requirements to ensure that subcontractors are aligned with the same set of privacy information security standards as the supplier.
- Consider how supplier personnel are screened prior to interacting with privacy information.
- Stipulate the need for third-party attestations that address the supplier’s ability to fulfil organisational privacy information security requirements.
- Have the contractual right to audit a supplier’s procedures.
- Require suppliers to deliver reports that detail the effectiveness of their own processes and procedures.
- Focus on taking steps to affect the timely and thorough resolution of any defects or conflicts.
- Ensure that suppliers operate with an adequate BUDR policy, to protect the integrity and availability of PII and privacy-related assets.
- Require a supplier-side change management policy that informs the organisation of any changes that have the potential to impact privacy protection.
- Implement physical security controls that are proportional to the sensitivity of the data being stored and processed.
- (Where data is to be transferred) ask suppliers to ensure that data and assets are protected from loss, damage or corruption.
- Outline a list of actions to be taken by either party in the event of termination.
- Ask the supplier to outline how they intends to destroy privacy information following termination, or of the data is no longer required.
- Take steps to ensure minimal business interruption during a handover period.
Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.
Applicable GDPR Articles
- Article 5 (1)(f)
- Article 28 (1)
- Article 28 (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g), (3)(h)
- Article 30 (2)(d)
- Article 32 (1)(b)
Relevant ISO 27002 Controls
- ISO 27002 5.10
- ISO 27002 5.12
- ISO 27002 5.13
- ISO 27002 5.20
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 6.12.1.3 – Information and Communication Technology Supply Chain
References ISO 27002 Control 5.21
When contracting out elements of their supply chain, in order to safeguard PII and privacy-related assets, organisations should:
- Draft a clear set of privacy information security standards that suppliers and contractors are fully-conversant with.
- Ask suppliers to provide information on any software components that are used to deliver a service.
- Identify the security functions of any product or service supplied, and establish how said products and services should be operated in a way that doesn’t compromise privacy information security.
- Draft procedures that ensure any products or services fall within accepted industry standards.
- Adhere to a process that identifies and records elements of a product or service that are crucial to maintaining core functionality.
- Ask suppliers to provide assurances that certain components have an attached audit log that evidences movement throughout the supply chain.
- Seek assurance that products and services don’t contain any features which may present a security risk.
- Ensure that suppliers consider anti-tampering measures throughout the development life cycle.
- Seek assurances that any products or services delivered are in alignment with industry-standard privacy information security requirements.
- Take steps to ensure that suppliers are aware of their obligations when sharing privacy information throughout the supply chain.
- Draft procedures that manage risk when operating with unavailable, unsupported or legacy components.
It’s important to note that quality control doesn’t necessarily extend to granular inspection of the supplier’s own procedures.
Organisations should implement supplier-specific checks that confirm third-party organisations as a reputable source, within the sphere of privacy information management.
ISO 27701 Clause 6.12.2.1 – Monitoring and Review of Supplier Services
References ISO 27002 Control 5.22
Organisations need to be continually aware of how supplier services are delivered – and to what levels – in order to maintain a safe, secure privacy information management operation.
To achieve this, organisations should:
- Monitor service levels in accordance with published SLAs.
- Address any service shortfalls or events as quickly as possible, particularly those that impact upon PII or privacy-related assets.
- Monitor any changes made by the supplier to their own operation that has the potential to impact privacy protection, including any service-specific changes.
- Ask to be provided with regular service reports, and scheduled review meetings.
- Scrutinise outsourcing partners and subcontractors, and pursue any areas for concern.
- Operate within agreed Incident Management standards and practices.
- Keep a record of privacy information security events, operational problems and faults.
- Highlight any information security vulnerabilities and mitigate them to the fullest extent.
- Be mindful of the suppliers’ relationships with its own suppliers and subcontractors, and how this impacts upon privacy protection within the boundaries of the organisation itself.
- Identify supplier-side personnel who are responsible for maintaining the terms of the service contract.
- Perform audits that confirm a supplier’s ability to maintain adequate privacy information standards.
Relevant ISO 27002 Controls
- ISO 27002 5.29
- ISO 27002 5.30
- ISO 27002 5.35
- ISO 27002 5.36
- ISO 27002 8.14
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.12.2.2 – Managing Changes to Supplier Services
References ISO 27002 Control 5.22
See ISO 27701 Clause 6.12.2.1
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.12.1.1 | Information Security Policy for Supplier Relationships |
5.19 – Information Security in Supplier Relationships for ISO 27002 |
None |
| 6.12.1.2 | Addressing Security Within Supplier Agreements |
5.20 – Addressing Information Security Within Supplier Agreements for ISO 27002 |
Articles (5), (28), (30), (32) |
| 6.12.1.3 | Information and Communication Technology Supply Chain |
5.21 – Managing Information Security in the ICT Supply Chain for ISO 27002 |
None |
| 6.12.2.1 | Monitoring and Review of Supplier Services |
5.22 – Monitoring, Review and Change Management of Supplier Services for ISO 27002 |
None |
| 6.12.2.2 | Managing Changes to Supplier Services |
5.22 – Monitoring, Review and Change Management of Supplier Services for ISO 27002 |
None |
How ISMS.online Helps
It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where ISMS.online comes in!
Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701.
Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.
Find out more by booking a hands on demo.
