ISO 27001 - Annex A.15 - supplier relationships

What is Annex A.15?

Once your organisation’s information is shared with a supplier, you may no longer have direct control over it, regardless of its sensitivity or worth. As a result, all external suppliers must be subject to suitable technological and contractual controls and mitigation mechanisms. This is where Annex A.15 comes in.

Annex A.15 covers everything from securing information handled by external suppliers to examining the supplier's disaster recovery processes. It also covers the development of agreements for data return in the event of contract termination or unexpected closure.

Each control of Annex A.15 has an objective to bring your organisation closer to ISO certification. Let’s take a look at them.

What is the objective of Annex A.15?

Annex A.15 is all about controlling and managing the risks connected with the supplier-organisation relationship to guarantee that your operations and your customers' information stays secure. To do this Annex A.15 provides the following 2 major controls:

Annex A.15.1: Information security in supplier relationships

Annex A.15.1 focuses on the protection of organisation information in supplier partnerships. In this case, the goal is to protect the organisation’s assets that are accessible to its suppliers.

It is recommended that you additionally evaluate other critical relationships here, such as partners if they are not suppliers but have an impact on your assets that may not be covered by a contract alone. To acquire ISO 27001 certification, this is an essential aspect of the information security management system (ISMS).

Annex A.15.2: Supplier service delivery management

The goal of this control is to ensure that the degree of information security and service delivery agreed upon with suppliers is maintained.

It is critical to ensure that service providers meet the requirements of third-party contracts as soon as operations begin. This can include everything from the service's availability to more specific details, such as the service provider's security policies. A systematic assessment of services and controls is also required, as well as a close examination of service reports provided by third parties in order to verify that the data they contain is adequate and relevant.

Before diving into the specific controls of each annex, the next section helps you understand what supplier relationships are. 

What are supplier relationships in ISO 27001?

Supplier relationships in ISO 27001 may sometimes be confused with the more popular term, ‘Supplier Relationship Management’. However, these two are not the same. Under the ISO standard, managing supplier relationships means establishing and maintaining rules that keep shared information safe. 

Suppliers are the ones who handle your organisation’s sensitive information the most frequently in supplier relationships. These connections also include business partners and, on occasion, customers.

During operations that could range from outsourcing software development to sharing research on a new product, supplier relationship norms and regulations must be defined. When obtaining new clients, they may want access to your sensitive data for auditing purposes. These are a few examples of when supplier relationship information security is required.

What are the Annex A.15 controls?

Once you are familiar with the concept of supplier relationships, you need to identify and implement the information security controls that best fit your business. The 5 controls of Annex A.15 are:

A.15.1.1: Information security policy for supplier relationships

It is essential that the supplier agrees to and documents information security requirements relating to the risk of access by suppliers to the organisation's assets. The risk assessment should be done whenever any company wishes to grant access to its supplier.

Organisations need to define and incorporate security information controls in their policies. These include:

• Establishing which suppliers, such as those providing information technology (IT) and finance are readily available to the business.
• Ensuring the accuracy and completeness of the information shared by both parties with each other.
• Ensuring that all parties have access to information or processes in the event of a disaster. There must be a strategy for recovery and contingency.
• Educating the personnel of the organisation involved in acquisitions about the related policies, processes, and procedures.
• Education on the acceptable rules of engagement and behaviour depending on provider type and amount of supplier access to the system. 
• Education on the rules of handling information of the organisation for employees of those who deal with staff of suppliers.
• Signing a legal contract to safeguard the integrity of the connection.

A.15.1.2: Addressing security within supplier agreements

The information security requirements for any suppliers who see, process, store, communicate, or deliver IT infrastructure component information for the organisation should be stated and agreed upon. This section shows how to define and accept your responsibilities, as well as record them securely under an applicable policy. This policy may include:

• The task at hand and the extent to which it extends
• Classification of sensitive data
• Requirements imposed by law and regulation
• Reports and evaluations
• Confidentiality
• Intellectual Property Rights (IPR)
• Incident management
• Subcontractors' obligations
• Screening of employees

This agreement also grants the organisation sole authority to audit the supplier and its subcontractors.

A.15.1.3: Information and communication technology supply chain

Supplier agreements include requirements to reduce the security risks connected with the IT services and the product supply chain. This means that if there's a possibility of a data breach, the supplier and contractor will have to get in touch. Suppliers are required to describe how they dealt with minor risks, as well as how they assured the risk was eradicated, even if it is a small risk. Controlling supplier relations effectively requires using crucial services to track the supply chain's history and its point of origin.

A.15.2.1: Monitoring and review of supplier services

Supplier service delivery should be monitored, reviewed, and audited on a regular basis by companies. Information security terms and conditions must be followed and information security incidents and problems must be effectively handled through regular monitoring and assessment of service providers. This includes a process of:

• Verification of agreement compliance through service level monitoring.
• Regularly reviewing service reports from the supplier.
• Performing audits of the supplier and following-up on reported problems and, if possible, use the findings of independent auditors to help resolve issues.
• Providing and reviewing information on safety occurrences as specified in agreements and any applicable standards and procedures.
• Examining the audit and information security reports, operational issues, failures, fault-tracking, and service-related disturbances that manufacturers have reported on in the past.

A.15.2.2: Managing changes to supplier services

Maintaining and upgrading existing information security policies, procedures, and controls is a key component of a well-managed control system. It considers the importance of business information, the nature of the change, the types of suppliers affected, the systems and procedures involved, and a reevaluation of risks. 

The closeness of the relationship and the organisation's ability to influence or manage the supplier should also be taken into account when making changes to suppliers' services.

Why are supplier relationships important for your organisation?

An organisation with a well-defined ISMS can protect its supply chain relationships as well as its corporate reputation. When your current suppliers understand that you have a solid defence against information security threats, they may look forward to long-term partnerships with your organisation. Additionally, assuring the protection of their vital confidential information will help your company's reputation inside the industrial supply chain. 

Conclusion

When planning for ISO 27001 certification, having good supplier relationships proves to auditors that you understand how to safeguard critical information with external parties. Taking the necessary steps to effectively implement these controls also improves your organisation's reputation in the perspective of potential customers and business partners. 

If you are planning to start your journey towards ISO 27001 certification, DataGuard’s team of professionals are here to help you every step of the way. Schedule a free consultation today.