Supplier Information Security Evaluation Process
ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016
Supplier Information Security Evaluation Process [Insert Classification]
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document describes the process of assessing suppliers’ and other third party’s information security arrangements, particularly in the situation where a process has been outsourced to the supplier.
Areas of the standard addressed This document is relevant to the following sections of the ISO/IEC 27001:2013 standard: 8 Operation 8.1 Operational planning and control
General Guidance This process aims to assess the adequacy of suppliers’ information security arrangements and to encourage them to put some in place if they don’t currently have any. You will need to assess the level of risk to your organization from each supplier based on the responses received. You may decide to perform a full risk assessment of some suppliers if they appear not to have adequate controls in place. This would be performed using the full risk assessment process rather than this evaluation process. This process should be used in conjunction with other supplier-related controls included in section A.15 Supplier relationships within Annex A of the standard.
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own
Version 1
Page 1 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from
Version 1
Page 2 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
[Replace with your logo]
Supplier Information Security Evaluation Process
Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 16
[Insert Classification] ISMS-DOC-08-1 1 [Insert date]
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 16
Date
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
SUPPLIER INFORMATION SECURITY EVALUATION PROCESS ................................................ 8 2.1 PROCESS DIAGRAM ................................................................................................................................... 8 2.2 PROCESS INPUTS ....................................................................................................................................... 9 2.3 PROCESS ACTIVITIES ................................................................................................................................. 9 2.3.1 Identification of Key Suppliers........................................................................................................ 9 2.3.2 Supplier completes evaluation questionnaire and provides evidence ........................................... 10 2.3.3 Evidence reviewed ........................................................................................................................ 10 2.3.4 Visit supplier to review arrangements .......................................................................................... 10 2.3.5 Prioritised improvement list created ............................................................................................ 11 2.3.6 Supplier carries out improvements ............................................................................................... 11 2.3.7 Regular Reporting and Review ..................................................................................................... 11 2.4 PROCESS OUTPUTS .................................................................................................................................. 11
3
ROLES AND RESPONSIBILITIES ....................................................................................................... 12 3.1
RACI CHART .......................................................................................................................................... 12
4
CONCLUSION.......................................................................................................................................... 13
5
APPENDIX A: INFORMATION SECURITY EVALUATION QUESTIONNAIRE ........................ 14
List of Figures FIGURE 1 - SUPPLIER INFORMATION SECURITY EVALUATION PROCESS ........................................................................ 8
List of Tables TABLE 1 - RACI CHART ........................................................................................................................................... 12 TABLE 2 - INFORMATION SECURITY EVALUATION QUESTIONNAIRE ............................................................................. 16
Version 1
Page 6 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
1 Introduction The effective management of information security has always been a priority for [Organization Name] knowing as it does the high degree of reliance that its interested parties place upon the continued operation of its critical business activities. However, there is still much to be gained by [Organization Name] in introducing industry-standard good practice processes, not the least of which is the ability to become more proactive in our approach to information security and to gain and maintain a better understanding of our stakeholders’ needs and plans. The International Standard for information security management, ISO/IEC27001 was announced by the ISO in 2005 and updated in 2013. [Organization Name] has started on the road to adoption of the standard and has decided to pursue full certification to ISO/IEC 27001 in order that the effective adoption of best practice in information security management may be validated by an external third party. But in this inter-connected world effective internal information security procedures can only go a certain way to ensuring success; attention must also be paid to the ability of our suppliers to protect our and their information in the face of increasing threat levels This document sets out a process for the evaluation of the information security arrangements of our suppliers so that a degree of confidence may be gained that they have implemented sufficient controls to support our requirements. It should be noted that this process is not intended to carry out a full risk assessment of suppliers, rather to assess whether they have taken such action themselves and have in place adequate precautions to ensure continued supply. This process is particularly relevant where outsourced services are provided on an ongoing basis.
Version 1
Page 7 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
2 Supplier Information Security Evaluation Process 2.1
Process Diagram
The process of supplier information security evaluation is shown in the diagram below. Identify the Key Suppliers
Supplier completes evaluation questionnaire and provides evidence
Evidence reviewed
Visit supplier to review arrangements
Prioritised improvement list created
Supplier carries out improvements
Regular Reporting and Review
Figure 1 - Supplier information security evaluation process
Each step in this process is described in more detail in the rest of this document.
Version 1
Page 8 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
2.2
Process Inputs
The process of evaluating a supplier’s information security arrangements starts with a number of inputs which are needed to ensure that all of the steps can be completed successfully. These inputs should include where available:
[Organization Name] business strategy, plans and objectives Information Security Context, Requirements and Scope Information Security Policy Risk Assessment Report Business Impact Analysis Business process documentation e.g. procedures Relevant contractual documentation Legal and regulatory requirements Relevant performance information e.g. number of security incidents, extent of sensitive information handled or supplied by the supplier Financial information regarding costs and contribution to turnover and profit of the business activities supported by the supplier
The availability of this information will ensure that the conclusions reached are based on factual data rather than approximations. 2.3
Process Activities
The following activities should be performed as part of the impact analysis process. 2.3.1
Identification of Key Suppliers
The starting point for the process is to identify which suppliers are key to the delivery of the organization’s critical business activities and the processes that support them. This information is captured during the risk assessment and business impact assessment processes that are performed as part of the ISMS. For more detail on these processes please see the following documents:
Risk Assessment and Treatment Process Business Impact Analysis Process
For each critical business activity the dependencies that support it are identified, including the specific products and services provided by each supplier. This provides a list of suppliers that will need to be assessed in the context of the products and services they supply (as not all aspects of the supplier’s business
Version 1
Page 9 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
operations will necessarily be relevant to the key business activities of [Organization Name]. The evaluation of the list of suppliers should be completed in priority order i.e. in the order of greatest risk to [Organization Name]. This is designed to ensure that risk is minimised as quickly as possible. A schedule of supplier evaluations should be created which takes into account available resources (of both the organization and the supplier) and any seasonal considerations e.g. period of peak business. 2.3.2
Supplier completes evaluation questionnaire and provides evidence
A main contact should be established at the supplier. This contact should be of sufficient authority within the supplier organization to ensure that the evaluation is given adequate priority and that all of the required information can be provided. The questionnaire at Appendix A of this document should be sent to the supplier contact with a covering letter explaining the background and the reason for the request for information. The required evidence may be provided in electronic form where possible or in hardcopy if not. A target date for the provision of the completed questionnaire and supporting information should be agreed with the supplier contact and reminders issued where necessary. 2.3.3
Evidence reviewed
Once received, the evidence provided by the supplier should be reviewed by the [Information Security Manager] in consultation with the relevant business managers. This review will aim to assess the residual level of risk to the organization’s critical business activities, taking into account the adequacy of the supplier’s information security arrangements. 2.3.4
Visit supplier to review arrangements
Where possible, a visit should be undertaken to the supplier site(s) most relevant to the supply of goods and services to the [Organization Name]. This visit is in order to:
Verify the completeness and accuracy of the evidence provided Discuss the improvements that may be required Build a relationship with the supplier Better understand the business environment
Several visits may be required depending on the geographical spread of locations, scope of product or service supply and availability of key supplier staff.
Version 1
Page 10 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
2.3.5
Prioritised improvement list created
A list of proposed improvements to the supplier’s information security arrangements is then created. This list should be prioritised according to level of risk and agreed with the main supplier contact. Commitment to target dates for completion should also be obtained and documented. 2.3.6
Supplier carries out improvements
The supplier is then given an opportunity to address the improvements on the agreed list to the target timescales. The frequency of regular progress updates should be agreed and progress tracked against the plan. Failure to achieve the identified improvements within the target timescales should be discussed both with the supplier contact and top management within [Organization Name] and the level of risk assessed. 2.3.7
Regular Reporting and Review
In addition to a full annual review, supplier information security assessments will be evaluated on a regular basis to ensure that they remain current. The relevant assessments will also be reviewed upon major changes to the business such as mergers and acquisitions or introduction of new products and services. 2.4
Process Outputs
The process of supplier information security evaluation results in a number of outputs which show that all of the steps have been completed successfully. These outputs should include where possible:
The completed assessment questionnaire Supporting evidence of supplier information security arrangements Minutes of meetings held Management approval of the conclusions reached Results of regular reviews
The availability of this information will allow the conclusions reached to be verified and validated in future reviews and audits.
Version 1
Page 11 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
3 Roles and Responsibilities Within the process of supplier information security evaluation there are a number of key roles that play a part in ensuring that all impacts are identified, addressed and managed. These roles are shown in the RACI table below, together with their relative responsibilities at each stage of the process. 3.1
RACI Chart
The table below clarifies the responsibilities at each step using the RACI model, i.e.: R= Responsible
A= Accountable
C= Consulted
Role: Information Security Step Manager Identification of Key Suppliers A Supplier completes evaluation A questionnaire and provides evidence Evidence reviewed A Visit supplier to review A arrangements Prioritised improvement list A created Supplier carries out A improvements Regular Reporting and Review A
Business Management
I= Informed Supplier Contact
R I
C R
R R
I C
R
C
C
R
R
C
Table 1 - RACI chart
Further roles and responsibilities may be added to the above table as the process matures within [Organization Name].
Version 1
Page 12 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
4 Conclusion The process of supplier information security evaluation is fundamental to the implementation of a successful Information Security Management System (ISMS). By following this process [Organization Name] will go some way to ensuring that its key suppliers are identified and that their information security strategies and plans are based on a firm and well-considered foundation. The degree to which this process is followed and the results regularly updated will potentially have a significant impact on the ability of [Organization Name] to protect itself from harmful information security breaches which could have a serious effect on its business and reputation. Many of the recent well-publicized security incidents affecting large corporations are thought to have resulted from information obtained via third party suppliers. This makes it even more important to encourage our suppliers to adopt the good information security practices that we ourselves believe are so vital.
Version 1
Page 13 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
5 Appendix A: Information Security Evaluation Questionnaire The following questionnaire should be sent to the main supplier contact with a covering letter explaining the background and what is required.
Information Security Questionnaire
Section A. Supplier Details Ref. A1 A2 A3 A4 A5 A6 A7 A8
Version 1
Question Response Organization Name Main Contact Main business address Goods or services supplied Locations supplied from Method of supply Volume of supply Please specify any aspects of supply that are sub-contracted or outsourced
Evidence required None None None
Evidence provided
None None None None List of subcontractors and outsource providers
Page 14 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
Section B. Information Security Arrangements Ref.
B1
B2
B3
B4
B5
Version 1
Question Response Is the organization (or any parts of it) certified to any external quality standards? Do you have a formal risk management process in place? Do you have an information security management system (ISMS) in place? Do you have documented information security plans or procedures? Do you have an internal audit function?
Evidence required Copies of certifications, including scope statements
Evidence provided
Process document Risk assessments ISMS documentation
Information security plans and procedures Audit reports
Page 15 of 16
[Insert date]
Supplier Information Security Evaluation Process [Insert Classification]
Section C. Suppliers Ref. C1
C2
C3
Question Do you conduct risk assessments of your suppliers? Do you have a supplier management programme in place? Do you assess the adequacy of your suppliers’ information security controls?
Response
Evidence required Risk assessments
Evidence provided
Supplier management documentation Assessment documentation
Table 2 - Information security evaluation questionnaire
Version 1
Page 16 of 16
[Insert date]