Are you trying to achieve ISO 27001 certification? Then it is time to start monitoring your vendors’ cyber-security.
Developing appropriate information security measures is one of the main challenges and critical aspects that organizations face today. Companies of all kinds need to implement safeguards to ensure their information assets are secured, this much is a given.
Many organizations decide to build their information security management system (ISMS) in alignment with the ISO/IEC 27001 standard, while only a small proportion of them go further by actually trying to obtain the ISO/IEC 27001 certification through a third-party accredited body.
One of the critical issues that companies aiming for certification confront is ensuring that appropriate measures are in place to manage the security within their supply chain. ISO 27001 addresses this topic under a specified section called Supplier Relationship which outlines acceptable practices for supplier cybersecurity management.
Vendor information security requirements of the ISO/IEC 27001
One of the major concerns that companies face today when developing an ISMS is how to approach the management of third-party security risks which, in many cases, is often a weak link for many companies.
Companies may have defined policies and procedures that frame third-party risk management. Whilst this is sufficient in theory, problems arise when information security teams want to assess all vendors that are relevant from an information security perspective. In many cases, these kinds of suppliers could be hundreds or even thousands in number and to a large extent, most of them represent a degree of risk to the company
Specifically, the Supplier Relationships section focuses on the management of information security within the supply chain. In practice, this means that companies need to actually implement controls to manage security risks related to their suppliers if they want to achieve the ISO 27001 Certification.
The section has two different categories regarding supplier management, these are Information security in supplier relationships and Supplier service delivery management.
Information security in supplier relationships aims to ensure the protection of an organization’s assets that are accessible to suppliers. The specific controls that organizations should implement to comply with this are as follows:
● Define an information security policy for supplier relationships that addresses the risks associated with vendors’ access to the organization’s information.
● Establish agreements including all relevant information security requirements with each vendor that processes information of the organization.
● In addition to the general requirements for supplier relationships of the above point, include also in the agreements the information security requirements of information and communication technology products (this would include cloud services computing).
Secondly, Supplier service delivery management aims to maintain an agreed level of information security and service delivery within supplier agreements. The specific controls required for this category are:
● Ensure that suppliers follow information security requirements established in the agreements by monitoring, reviewing and conducting audits of the suppliers on a regular basis.
● Manage changes to supplier services, which includes changes to agreements with suppliers, reviewing and updating policies and procedures…
CyberVadis can help you achieve the ISO 27001 Certificate
Clearly, it is of imperative importance that organizations aiming for ISO/IEC 27001 certification or compliance ensure the implementation of appropriate security measures within their supply chain.
One of the key controls that companies need to implement relates to monitoring, reviewing and conducting audits of suppliers on a regular basis.
This is where CyberVadis comes in. Our team has developed a scalable solution to cover the whole supply chain with a thorough third-party cybersecurity assessment process.
We help companies identify vendors to assess, and engage them directly to complete assessments with a simple click-to-complete solution.
Our in-house team of cybersecurity analysts validate, score answers, and review supporting documentation, checking results against external risk factors, to deliver a detailed scorecard and improvement plan.
Results are displayed on a collaborative platform, with detailed improvement plans. In addition, security managers can use our platform to communicate with vendors and request the implementation of improvement actions.
Contact us to schedule a demo and discover how CyberVadis can help you manage vendor risk.