Supplier Information Security Evaluation Process
ISO/IEC 27001 Toolkit: Version 10 ©CertiKit
Supplier Information Security Evaluation Process [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document describes the process of assessing suppliers’ and other third party’s information security arrangements, particularly in the situation where a process has been outsourced to the supplier.
Areas of the standard addressed This document is relevant to the following sections of the ISO/IEC 27001:2013 standard: • •
8 Operation o 8.1 Operational planning and control A.15 Supplier relationships o A.15.2 Supplier service delivery management ▪ A.15.2.1 Monitoring and review of supplier services
General guidance This process aims to assess the adequacy of suppliers’ information security arrangements and to encourage them to put some in place if they don’t currently have any. You will need to assess the level of risk to your organization from each supplier based on the responses received. You may decide to perform a full risk assessment of some suppliers if they appear not to have adequate controls in place. This would be performed using the full risk assessment process rather than this evaluation process. This process should be used in conjunction with other supplier-related controls included in section A.15 Supplier relationships within Annex A of the standard.
Review frequency We would recommend that this document is reviewed annually.
Version 1
Page 2 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
Supplier Information Security Evaluation Process
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
ISMS-DOC-08-1
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 14
DATE
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
Contents 1
Introduction.............................................................................................................. 8
2
Supplier information security evaluation process ...................................................... 9 2.1
Process diagram........................................................................................................... 9
2.2
Process inputs............................................................................................................ 10
2.3
Process activities........................................................................................................ 10
2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.3.7
2.4
3
Process outputs ......................................................................................................... 12
Roles and responsibilities ........................................................................................ 13 3.1
4
Identification of key suppliers....................................................................................................... 10 Supplier completes evaluation questionnaire and provides evidence ......................................... 11 Evidence reviewed ........................................................................................................................ 11 Visit supplier to review arrangements .......................................................................................... 11 Prioritised improvement list created ............................................................................................ 12 Supplier carries out improvements .............................................................................................. 12 Regular reporting and review ....................................................................................................... 12
RACI chart.................................................................................................................. 13
Conclusion .............................................................................................................. 14
Figures Figure 1: Supplier information security evaluation process ............................................................ 9
Tables Table 1: RACI chart ..................................................................................................................... 13
Version 1
Page 7 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
1 Introduction The effective management of information security has always been a priority for [Organization Name] knowing as it does the high degree of reliance that its interested parties place upon the continued operation of its critical business activities. However, there is still much to be gained by [Organization Name] in introducing industrystandard good practice processes, not the least of which is the ability to become more proactive in our approach to information security and to gain and maintain a better understanding of our stakeholders’ needs and plans. The International Standard for information security management, ISO/IEC27001 was announced by the ISO in 2005 and updated in 2013. [Organization Name] has started on the road to adoption of the standard and has decided to pursue full certification to ISO/IEC 27001 in order that the effective adoption of best practice in information security management may be validated by an external third party. But in this inter-connected world effective internal information security procedures can only go a certain way to ensuring success; attention must also be paid to the ability of our suppliers to protect our and their information in the face of increasing threat levels This document sets out a process for the evaluation of the information security arrangements of our suppliers so that a degree of confidence may be gained that they have implemented enough controls to support our requirements. It should be noted that this process is not intended to carry out a full risk assessment of suppliers, rather to assess whether they have taken such action themselves and have in place adequate precautions to ensure continued supply. This process is particularly relevant where outsourced services are provided on an ongoing basis.
Version 1
Page 8 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
2 Supplier information security evaluation process 2.1 Process diagram The process of supplier information security evaluation is shown in the diagram below.
Figure 1: Supplier information security evaluation process
Each step in this process is described in more detail in the rest of this document. Version 1
Page 9 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
2.2 Process inputs The process of evaluating a supplier’s information security arrangements starts with several inputs which are needed to ensure that all of the steps can be completed successfully. These inputs should include where available: • • • • • • • • • •
[Organization Name] business strategy, plans and objectives Information Security Context, Requirements and Scope Information Security Policy Risk Assessment Report Business Impact Analysis Business process documentation e.g. procedures Relevant contractual documentation Legal and regulatory requirements Relevant performance information e.g. number of security incidents, extent of sensitive information handled or supplied by the supplier Financial information regarding costs and contribution to turnover and profit of the business activities supported by the supplier
The availability of this information will ensure that the conclusions reached are based on factual data rather than approximations.
2.3 Process activities The following activities should be performed as part of the impact analysis process.
2.3.1 Identification of key suppliers The starting point for the process is to identify which suppliers are key to the delivery of the organization’s critical business activities and the processes that support them. For each critical business activity, the dependencies that support it are identified, including the specific products and services provided by each supplier. This provides a list of suppliers that will need to be assessed in the context of the products and services they supply (as not all aspects of the supplier’s business operations will necessarily be relevant to the key business activities of [Organization Name].
The evaluation of the list of suppliers should be completed in priority order i.e. in the order of greatest risk to [Organization Name]. This is designed to ensure that risk is minimised as
Version 1
Page 10 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
quickly as possible. A schedule of supplier evaluations should be created which considers available resources (of both the organization and the supplier) and any seasonal considerations e.g. period of peak business.
2.3.2 Supplier completes evaluation questionnaire and provides evidence A main contact should be established at the supplier. This contact should be of sufficient authority within the supplier organization to ensure that the evaluation is given adequate priority and that all of the required information can be provided. The form Supplier Evaluation Questionnaire should be sent to the supplier contact with a covering letter explaining the background and the reason for the request for information. The required evidence may be provided in electronic form where possible or in hardcopy if not. A target date for the provision of the completed questionnaire and supporting information should be agreed with the supplier contact and reminders issued where necessary.
2.3.3 Evidence reviewed Once received, the evidence provided by the supplier should be reviewed by the [Information Security Manager] in consultation with the relevant business managers. This review will aim to assess the residual level of risk to the organization’s critical business activities, considering the adequacy of the supplier’s information security arrangements.
2.3.4 Visit supplier to review arrangements Where possible, a visit should be undertaken to the supplier site(s) most relevant to the supply of goods and services to the [Organization Name]. This visit is in order to: • • • •
Verify the completeness and accuracy of the evidence provided Discuss the improvements that may be required Build a relationship with the supplier Better understand the business environment
Several visits may be required depending on the geographical spread of locations, scope of product or service supply and availability of key supplier staff.
Version 1
Page 11 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
2.3.5 Prioritised improvement list created A list of proposed improvements to the supplier’s information security arrangements is then created. This list should be prioritised according to level of risk and agreed with the main supplier contact. Commitment to target dates for completion should also be obtained and documented.
2.3.6 Supplier carries out improvements The supplier is then given an opportunity to address the improvements on the agreed list to the target timescales. The frequency of regular progress updates should be agreed, and progress tracked against the plan. Failure to achieve the identified improvements within the target timescales should be discussed both with the supplier contact and top management within [Organization Name] and the level of risk assessed.
2.3.7 Regular reporting and review In addition to a full annual review, supplier information security assessments will be evaluated on a regular basis to ensure that they remain current. The relevant assessments will also be reviewed upon major changes to the business such as mergers and acquisitions or introduction of new products and services.
2.4 Process outputs The process of supplier information security evaluation results in several outputs which show that all of the steps have been completed successfully. These outputs should include where possible: • • • • •
The completed assessment questionnaire Supporting evidence of supplier information security arrangements Minutes of meetings held Management approval of the conclusions reached Results of regular reviews
The availability of this information will allow the conclusions reached to be verified and validated in future reviews and audits.
Version 1
Page 12 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
3 Roles and responsibilities Within the process of supplier information security evaluation there are a number of key roles that play a part in ensuring that all impacts are identified, addressed and managed. These roles are shown in the RACI table below, together with their relative responsibilities at each stage of the process.
3.1 RACI chart The table below clarifies the responsibilities at each step using the RACI model, i.e.: • • • •
R: Responsible A: Accountable C: Consulted I: Informed
STEP
INFORMATION SECURITY MANAGER
BUSINESS MANAGEMENT
SUPPLIER CONTACT
Identification of Key Suppliers
A
R
C
Supplier completes evaluation questionnaire and provides evidence
A
I
R
Evidence reviewed
A
R
I
Visit supplier to review arrangements
A
R
C
Prioritised improvement list created
A
R
C
Supplier carries out improvements
A
C
R
Regular Reporting and Review
A
R
C
Table 1: RACI chart
Further roles and responsibilities may be added to the above table as the process matures within [Organization Name].
Version 1
Page 13 of 14
[Insert date]
Supplier Information Security Evaluation Process [Insert classification]
4 Conclusion The process of supplier information security evaluation is fundamental to the implementation of a successful Information Security Management System (ISMS). By following this process [Organization Name] will go some way to ensuring that its key suppliers are identified and that their information security strategies and plans are based on a firm and well-considered foundation. The degree to which this process is followed and the results regularly updated will potentially have a significant impact on the ability of [Organization Name] to protect itself from harmful information security breaches which could have a serious effect on its business and reputation. Many of the recent well-publicized security incidents affecting large corporations are thought to have resulted from information obtained via third party suppliers. This makes it even more important to encourage our suppliers to adopt the good information security practices that we ourselves believe are so vital.
Version 1
Page 14 of 14
[Insert date]