With respect to Suppliers you will need to be in control of a number of topics:
- You will need to have an overview of all your suppliers
- There needs to be an assigned owner to each supplier
- You will need to know basic legal information of your suppliers
- You will need to be in control of the contract with suppliers
- You will need to review all the contracts on security and business continuity issues
- You will need to determine if suppliers have access to your application and SW Tools
- You will need to determine if suppliers have access to data and what type of data
- You will need to know if suppliers are involved in security procedures
- You will need to classify your suppliers and set classification criteria
- On a yearly basis, you will need to assess all supplier information
- On a yearly basis, you will need to assess the high-risk suppliers
- You will need to have a suppliers procedure in place that describes the selection, review, and off-boarding process
Suppliers are a key element in your ISMS, without knowing you probably will have already 20 suppliers when you start building your ISMS. The Suppliers Overview is always a complex topic. The time that will take you to complete this section will soon pay off – as with this exercise you have just performed your first suppliers assessment, and this will make you aware of the risks that certain suppliers will have on your business.
We grouped the information about your supplier into 3 topics:
- Risk Profile
Be careful adding and naming suppliers, once you have added a new supplier and named it, you will not be able to change the name of the supplier again.
Below are some tips:
- There are all kinds of suppliers, that is why we have created a dropdown list for Profiles.
- TechTools are e.g. all the tooling that your development/product team is using. By adding a profile you can do easy search in the overview. Make sure you list all paid and free tools you use, all of them may have security or business continuity risks.
- Do not forget all Marketing Tools, especially the ones that are used for monitoring your product (e.g. Hotjar).
- Cloud Providers are not TechTools (e.g. AWS, Azure etc.)
- Business Services can be non-tech and might have no security risk, however, they might have business continuity risks, so list them as well.
- Do not forget the HR tooling (e.g. for recruitment or administration)
- Other examples of suppliers: Compleye, Co-Working spaces, if you are a ‘spin-off company’ – your mother-company probably delivers services and is also a supplier.
- List all your suppliers, it is our experience that if you review this on a yearly base you will probably discover some tooling/services that are not in use anymore, in the heat of the business you did not close the account or sign out.
- If Suppliers have access to Software you are using you will need to tick the box ‘is part of Software Access’. By ticking the box, the supplier will appear in section Access Management as an option.
- There is a possibility to add contracts and add runtime of contracts, this is especially important for high-risk suppliers, as you will need to assess all contracts on a yearly basis.
- Compliance information you can find on the website of the Supplier. If there is no search function, take a look at the bottom of the website – most security and compliance information pages are listed there.
- If you cannot find any information on the website, first classify high level if the supplier is a security risk. If not… then first start with the Risk Profile and probably you will score them low and compliance info is less important. However, perhaps an NDA might be applicable.
- For high-risk suppliers, it would be very practical if the supplier is ISO27001 certified, that will make supplier assessment a bit easier. This can also become part of your supplier selection criteria – for certain jobs you will only select ISO27001 certified partners.
- If there is a Data Process Agreement in place, you will need to add them to the section Legal & Compliance / GDPR /DPA Overview. For your DPO (and GDPR assessment) that is way more efficient.
- Make sure if there are NDA’s, SLA in place to add them to this section. And add more info if needed.
- You will need to classify your suppliers and therefore you will need to set up risk criteria. This information can be stored in the Procedure/Info section of Suppliers Overview – because you will use the same criteria for all suppliers. We created a link above the risks, so you can check, before adding a profile.
- To help you, we have defined risk criteria that you can use (below table). You can copy this information into the Procedure / Info section. Customize, if needed.
Low Medium High Information security The supplier has no access to end-user data or source code Supplier only has access to metadata on end-users and/or source code The supplier has access to the end-user data (including personal data) and/or to the IT infrastructure Business Continuity In the event of a supply interruption switching to a comparable service is relatively easy A supply interruption causes short-term problems within important business processes A supply interruption causes mid-term to long term problems within important business processes
- Once you have defined and approved your supplier management procedure, you can add a copy to this section as well. To have all information in 1 place.
- Quality Risks are not a mandatory topic for ISMS.
The next 4 check boxes will be addressed in a later stage:
- Part of outsourced ISO27001 jobs (Statement of Applicability)
- Stakeholder in access management overview (Certification Process)
- Access to restricted data (Data Classification)
- Involved in security procedures (Policies & Procedures)
|Name||Free text field||Compleye|
|Owner||Select owner from a drop-down menu function.||[Name team member]|
|Status||Select status from a drop-down menu, options are Active or Inactive.||Active|
|Profile||Select a business profile from a drop-down menu, options are: Business Services Provider MarCom Office Tools Project Management Tools Third-Party Data Provider Documentation Storage Other||Business Services|
|Supplier Headquarter||Indicate suppliers’ headquarter in a free text format.||Amsterdam, The Netherlands|
|Jurisdiction of Supplier||Indicate supplier’s country of residence in a free text format.||Amsterdam|
|Type of Contract||Indicate contract type in a free text format.||Paid Subscription|
|Date of Contract||Select a date using an embedded calendar.||[date picker]|
|+Upload Document||[Upload the confirmation of Assignment]|
|Run Time||Specify service run time in a free format text.||1 year|
|Used Since||Select a date using an embedded calendar.||[date picker]|
|Closed Since||Select a date using an embedded calendar.||–|
|Main Contact||Indicate the main contact in a free text format.||Karolin Kruiskamp|
|Contact Details||Indicate contact details in a free text email@example.com|
|Field Name||Value||Example / tips|
|Terms & conditions available||Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.||[selection]|
|GDPR policy in place||Select the checkbox to indicate an affirmative choice.||[some suppliers have specific GDPR policies or statements available, most of them are available on the website of the supplier]|
|NDA/Confidentiality agreement signed||Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.||[selection]|
|Data process agreement||Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.||[if yes, add the DPA in the DPA overview under Section Legal & Compliance – GDPR]|
|Software license agreement||[selection, if yes add the SLA to this section]|
|Certifications||[check on the website what kind of certifications are more in place .. e.g. ISO9001, SOC-2, etc.]|
|Extra Info||Include any additional information, if available.||[what ever info you think might be valuable – and use this section also for notes if there are changes]|
|Upload Document||Upload relevant documents, if available.|
|Risk Criteria||Include prescribed risk criteria in a free text format.||[Use the content in Wiki as an example, adjust if needed, and add to the Criteria info box in Procedure/Info section]|
|Information Security Risk||Select determined risk profile from a drop-down menu, options are Low, Medium, High.||Low|
|Business Continuity||Select determined risk profile from drop-down menu options are Low, Medium, High.||Medium|
|Upload Document||Upload relevant document, if available.|
|Part of Outsourced ISO27001||Select the checkbox to indicate an affirmative choice.|
|Stakeholder in Access Management Overview||Checkbox combined with Descriptive Free Text.|
|Access to Restricted Data Resources|
|Involved in Security Procedure|