The Objective of Annex A.15.1: Information Security in Supplier Relationships
Annex A.15.1 of the information security management system (ISMS) focuses on the protection of an organization’s valuable assets that are accessible to or affected by suppliers. The objective of this annex is to ensure that organizations have appropriate controls and policies in place to mitigate the risks associated with supplier relationships.
Expand your TPRM knowledge and capabilities with in-depth resources at Third-Party Risk Management.
Check out Responsible Cyber website for: cyber security templates in word format.
It is important to note that the scope of this annex extends beyond traditional suppliers. Organizations should also consider other key relationships, such as partners, that may have an impact on their assets but are not necessarily classified as suppliers.
A.15.1.1: Information Security Policy for Supplier Relationships
Suppliers are engaged for two main reasons: either organizations choose not to perform certain tasks internally and outsource them to suppliers, or suppliers possess specialized expertise that organizations cannot match in terms of quality or cost-effectiveness.
When it comes to supplier selection and management, there are several important factors to consider. It is crucial to recognize that a one-size-fits-all approach does not work in this context, as some suppliers will be more critical and influential than others. Therefore, controls and policies should be tailored to reflect the value and risk associated with each supplier. A segmentation of the supply chain based on these factors is recommended.
Organizations should categorize suppliers into four groups based on the value and risk they bring to the relationship. This categorization ranges from suppliers that are business-critical to vendors who have no material impact on the organization.
It is also important to acknowledge that some suppliers may hold more power than their customers. For example, organizations that rely on Amazon Web Services (AWS) for hosting have limited control over the policies and agreements imposed by Amazon. In such cases, it is essential to prioritize supplier selection and risk management.
To adopt a proactive approach to information security in the supply chain, organizations should develop closer working relationships with strategic suppliers. This is particularly crucial when high-value information and assets are at risk or when suppliers contribute positively to an organization’s information assets. Building strong relationships with suppliers can lead to improved business results.
An effective information security policy for supplier relationships should encompass supplier segmentation, selection, management, and exit strategies. It should also outline how information assets related to suppliers are controlled to mitigate associated risks while enabling the achievement of business goals and objectives.
Smart organizations integrate their information security policy for suppliers into a broader relationship framework, considering not only security but also other aspects of the relationship. For example, organizations may want suppliers to access and contribute to specific high-value information assets, such as software code development or accounting payroll information. Clear agreements regarding access and security controls are necessary in such cases, especially when outsourcing information management, processing, and technology services.
Organizations must demonstrate effective management of supplier relationships. This includes maintaining records of contracts, contacts, incidents, relationship activities, and risk management. In cases where suppliers are intimately involved in the organization but lack their own certified ISMS, ensuring that supplier staff are educated and aware of security measures and trained on organizational policies is crucial for demonstrating compliance.
A.15.1.2: Addressing Security within Supplier Agreements
All relevant information security requirements must be incorporated into agreements with suppliers who have access to or can impact an organization’s information or assets. It is important to take a risk-based approach when defining these requirements, considering the different types of suppliers involved and the nature of their work.
Working with suppliers that already meet the majority of an organization’s information security needs for the services they provide is highly recommended. Suppliers with a proven track record of responsibly addressing information security concerns and achieving independent ISO 27001 certification or equivalent are ideal partners.
Organizations should also ensure that suppliers are kept informed and engaged with any changes to the ISMS, particularly those that affect their services. Maintaining records of supplier onboarding projects or annual reviews can provide evidence of this engagement, which auditors may require.
When drafting supplier agreements, it is essential to include specific elements in the scope of supply, such as the work and its scope, information at risk and its classification, legal and regulatory requirements (e.g., GDPR compliance), reporting and review processes, non-disclosure agreements, intellectual property rights, incident management procedures, specific policies to comply with, obligations on subcontractors, and staff screening requirements, among others.
By addressing these considerations within supplier agreements, organizations can establish a robust framework for managing information security risks in their supplier relationships.